WIT / IVO IVANOV Summary Intercepts and Tracking Process During implementation NT Task Manager - it is very useful to implement applications and systems like external processes. The part of interest in the beginning of the new process is a typical problem with the development process monitoring system and full system hook. Win32 API provides a collection of PSAPI and Toolhelp [1]), which allows you to list the process currently running in the system. Although these APIs are very useful, they do not allow you to get notifications when a new process begins or at the end. This article provides an effective and complete technology, in order to complete this goal, it is based on an open interface. Solution is fortunate, NT / 2K provides an API collection, knows "process structure routines" [2] via NtoskRNL output. An API function pssetCreateProcessNotifyRoutine () provides the ability to register all systematic callback functions, each time these callback functions are called when a process begins, exists or has terminated. The API function mentioned above can be used as an easy-to-implement method when the process of pursuing the process by performing a NT core mode driver and user mode Win32 controller. The role of the driver is the execution of the detection process and the notification control program. Requirements ● Provide a simple, effective, reliable, and thread security mechanism for the execution of the monitoring process ● Synchronize problems between drivers and users' applications ● Create a framework for easy-to-use and extended OOP user mode ● Allow callback functions Registration and solution, there is also a dynamic load and uninstalling the capabilities of the core driver. How it works on how to register the core mode driver under HKLM / System / CurrentControlSet / Services, and dynamically load. The core driver then establishes a specified event object, when the new event is triggered (such as the start or end), this event object issues a signal to the user mode. The control program opens the same event object and then builds a listening thread waiting for this event. Next, the user mode's application sends a request to the driver to start monitoring. The driver calls pssetCreateProcessNotifyRoutine (), which accepts two parameters. The entry pointer to the callback program provided by the caller, the responsibility is to accept all the notifications from Windows. A notification that occurs when the callback occurs, the driver issues that signal event is to inform the user mode application saying something happens. The control program then gets the data for that particular event from the driver, and then stores it into a special column container for more processes. If the process is not detected, the user mode å will send a request to the driver to stop monitoring. Then the driver releases the observation mechanism. Later, the control mode application can uninstall the driver and the registration of it. Designing and implementing the NT Mode Driver (Procobsrv) Portal Pingering DRIVERENTRY () (Procobsrv.c) only performs the initialization of the driver. When the driver is loaded, the I / O Manager calls this function. Since PSSetCreateProcessNotifyRoutine () allows the registration call, these callback is the actual process I have registered or solve the registration in the scheduler of the driver. This allows me to dynamically start and stop monitoring by using a separate IOCTL (Control Code IOCTL_PROCOBSRV_ACTIVATE_MONITORING). Once the call is registered, each time a process starts or terminates, the OS will call the processCallback () provided by the user. This function is implanted in a buffer selected by the user mode application. Next, the specified event object signal is issued, so waiting for its user mode application will be notified that there is available information retrieval. Constitl) For simple sake, I decided to provide a simple console application to leave you the implementation of the imaginary GUI element.
Designing a multi-threaded application allows that application to adjust and easier to respond. On the other hand, considering some considerations related to synchronous access information, this information is information provided by publishers (such as core modes) and users (such as control programs). Another important key point is that a test system must be reliable, and it is believed that there is no event missed. In order to simplify the design of the process, first, I need to assign responsibility between different entities in the user mode application, and the responsibility is to process the driver. However, it is not difficult for these questions, but it is not difficult to do [5]: 1. What is the process in the system? 2. What is the role in the frame? 3. Who do, 4. How to cooperate? Below is a UML class diagram, which illustrates the relationship between classes:
CapplicationsCope implements a unit set and contains the main interface of the frame. It exposes two public methods, they start and end monitoring processes: class capplicationscope {... Other Other Details Ignored for the Sake Of Simplicity ... Public: // Initiates Process of Monitoring Process Bool StartMonitoring (PVOID PVAAR); / / Ends up the whole process of monitoring void stopmonitoring ();}; cProcessThreadMonitor is a thread waiting to be created by the driver event. When the process has created or ended, the driver issued this event object signal, and the thread of CProcessThreadMonitor was awakened. The user mode application then retrieves data from the driver. Next, the data is attached to the CQUEUECONTAINER column container that uses its method append (). CQUEUECONTAINER is a thread security queue controller that provides a Monitor / Condition variable mode execution. Its primary purpose is to provide a thread security signal for a corps container. This is how the method append () works: 1. Lock Access to the set of STL queue objects 2. Add data items 3. Send M_EVTELEMENTAVAILABLE Event Object Signals 4. This queue is unlocked its practical implementation: // Insert data into the queueBOOL CQueueContainer :: Append (const QUEUED_ITEM & element) {BOOL bResult = FALSE; DWORD dw = :: WaitForSingleObject (m_mtxMonitor, INFINITE); bResult = (WAIT_OBJECT_0 == dw ); if (bResult) {// Add it to the STL queue m_Queue.push_back (element); // Notify the waiting thread that there is // available element in the queue for processing :: SetEvent (m_evtElementAvailable);} // :: ReleaseMutex (m_mtxmonitor); Return BRESULT;} Since it is a design to make a notification when there is an energy available element, it combines an example of CretreiValthRead, CretreiValthread waits until an element varies in the local memory. . This is its pseudo execution: 1. Wait for M_EVTELEMENTAVAILABLE Event Object 2. Lock access to the STL team object 3. Data item 4 is extracted. Unlock column 5. Handling information that has been retrieved from the column.
This is a method of increasing the time when something into the queue of call: // Implement specific behavior when kernel mode driver // notifies the user-mode appvoid CQueueContainer :: DoOnProcessCreatedTerminated () {QUEUED_ITEM element; // Initially we have at least one element for processing BOOL bRemoveFromQueue = TRUE; while (bRemoveFromQueue) {DWORD dwResult = :: WaitForSingleObject (m_mtxMonitor, INFINITE); if (WAIT_OBJECT_0 == dwResult) {bRemoveFromQueue = (m_Queue.size ()> 0); // Is there anything in the Queue if (BremoveFromqueue) {// get the element from the queue element = m_queue.front (); m_queue.pop_front ();} // if else // let's make suvete the evenethan't been // Left in Signaled State if there is no items // in the queue :: resetEvent (m_evtelementavailable);} // if :: releasemutemutemutex (m_mtxmonitor); // process it only there is an element // That Has Been Pi CKED UP IF (BremoveFromqueue) m_phandler-> onprocessEvent (& Element, m_pvparam); else break;} // while} ccustomThread - Helping management keeps the original thread complexity. I encapsulated all threads related activities in an abstract class. It provides a pure virtual method Run (), and Run () must be performed by any special thread class (such as CretrievalthRead and CProcessThread TMonitor). The CCUSTOM thread is designed to ensure that the thread function is returned when the thread is terminated, which is the only way to ensure that all threads are properly cleaned. It provides a mean to turn off any instance of it by issuing a M_HSHUTDOWNEVENT event signal. CCallbackHandler is an abstract class that provides an interface to perform user-provided behavior when thread has created or terminated. It exposes a pure way to ONPROCESSEVENT (), which must be performed based on system specific requirements. In the sample code, you will see a class CMYCALLBACKHANDLER inheritable from ccallbackhandler, and perform method onprocessevent (). One parameter of the onprocessEvent () method PvParam allows you to deliver any kind of data, that is why it is to declare to PVOID.
