Write processes / thread monitors
Create time: 2003-03-21
Article attribute: original
Article Source:
http://www.whitecell.org
Article submission:
Sinister (jias_at_21cn.com)
Write processes / thread monitors
Author: sinister
Email: SINISTER@whitecell.org
Homepage:
http://www.whitecell.org
(First explain it. There are many friends to believe how some process / thread monitoring tools are implemented.
I wrote it to let those friends have a further understanding, and I have a sealed back to Mail. if you
It is NT Driver, then the method mentioned in this paper may have already mastered, it can be skilled. )
Sometimes we want to be able to dynamically monitor the creation and destruction of any process / thread in the system. For
To this purpose, I looked through the DDK manual and found the pssetcreateprocessNotifyRoutine () (),
PssetCreateThreadNotifyRoutine (), and so on can be implemented. These two functions can
Monitor processes / threads by registering a CallBalck function to the system. The function is as follows:
NTSTATUS
PSsetCreateProcessNotifyRoutine
In pcreate_process_notify_routine notifyroutine,
In Boolean Remove
);
Void
(* PCREATE_PROCESS_NOTIFY_ROUTINE)
In Handle ParentID,
In Handle Processid,
In Boolean Create
);
NTSTATUS
PSSetcreatethreadNotifyRoutine
In pcreate_thread_notify_routine notifyroutine
);
Void
(* PCREATE_THREAD_NOTIFY_ROUTINE)
In Handle Processid,
In Handle ThreadID,
In Boolean Create
);
It can be seen from the original shape that its Callback function only provides a process ID / thread ID. Not available
Process name. Then we have to further access the process name through the process ID. This requires an unobuutable
Function pslookupprocessByProcessId (). The function is as follows:
NTSTATUS PSLOKUPPROCESSBYPROCESSID
In ulong ulprocid,
Out peprocess * peprocess
);
The EPROCESS structure output from the function is also an unprecedented kernel process structure, and many people call it KPEB.
Offset 0x1FC in the EPROCESS structure points to the offset of the current process name. (This structure can be
Delivery in the driver. However, there is no structure that has a structure, there are many masters on the Internet have given its structure. Have
Interests can be searched by you, or go to IFS DDK, here is because the structure is too long, it is not posted)
With this structure, we can get the process name from it. The NT system also provides a function that can be dynamped
Load the image of the process. This function can get the DLL name and full path called when the process is planted.
Some image information. Get more detailed process loading information provides better help.
The function is as follows:
NTSTATUS
PSsetLoadImagenotifyRoutine
In PLOAD_IMAGE_NOTIFY_ROUTINE NOTIFYROUTINE
);
Void
(* PloAd_image_notify_routine)
In Punicode_String FullimageName, In Handle Processid, // Where Image is Mapped
IN PIMAGE_INFO ImageInfo
);
Typedef struct _image_info {
Union {
Ulong Properties;
Struct {
Ulong ImageAddressingMode: 8; // Code Addressing Mode
Ulong systemmodeImage: 1; // system mode image
Ulong ImageMappedtoallPids: 1; // mapped in all processes
Ulong reserved: 22;
}
}
PVOID imageBASE;
Ulong imageselector;
Ulong imageSize;
Ulong imageesenumber;
Image_INFO, * PIMAGE_INFO;
Using the functions and structures provided above, we can implement a process / thread monitor. Below
The code demonstrates how to implement this function.
/ ************************************************** *****************
File name: WSSPROCMON.C
Description: Process / Thread Monitor
Author: sinister
Last modified: 2002-11-02
*********************************************************** *************** /
#include "ntddk.h"
#include "string.h"
#define processnameoffset 0x1fc
Static NTSTATUS MYDRVDISPATCH (in PDEvice_Object DeviceObject, in PIRP);
NTSTATUS PSLOOKUPPROCESSBYPROCESSID (IN ULONG ULPROCID, OUT Peprocess * peprocess);
Void ProcessCreatemon (in Handle HparentID, In Handle Pid, In Boolean Bcreate);
Void Threadcreatemon (in Handle Pid, In Handle Tid, In Boolean Bcreate);
Void ImageCreatemon (in Punicode_String Fullimagename, In Handle Processid, In Pimage_Info ImageInfo);
// Drive inlet
NTSTATUS DRIVERENTRY (in PDRIVER_OBJECT DriverObject, In Punicode_String RegistryPath)
{
Unicode_String NameString, Linkstring;
PDEvice_Object DeviceObject;
NTSTATUS STATUS;
INT I;
// Establish a device
RTLinitunicodeString (& NameString, L "// device // wssprocmon);
Status = IOCREATEVICE (DriverObject,
0,
& nameString,
File_Device_unknown,
0,
True,
& DeviceObject
);
IF (! NT_Success (status))
Return status;
RTLINITUNICODESTRING (& linkstring, l "// dosdevices // wssprocmon");
Status = IocreateSymbolicLink (& linkstring, & namestring);
IF (! NT_Success (status))
{
IodeleteDevice (driverObject-> deviceObject);
Return status;
}
Status = pssetloadimagenotifyroutine (imagecreatemon);
IF (! NT_Success (status))
{
DBGPrint ("pssetloadimagenotifyroutine () / n");
Return status;
}
Status = pssetcreatethreadNotifyRoutine (ThreadCreatemon);
IF (! NT_Success (status))
{
"" Pssetcreatethreadnotifyroutine () / n ");
Return status;
}
Status = pssetcreateProcessNotifyRoutine (ProcessCreatemon, False);
IF (! NT_Success (status))
{
DBGPrint ("PSSetcreateProcessNotifyRoutine () / N");
Return status;
}
For (i = 0; i DriverObject-> majorfunction [i] = mydrvdispatch; } Return status_success; } // Processing device object operation Static NTSTATUS MYDRVDISPATCH (in PDevice_Object DeviceObject, in PIRP IRP) { IRP-> iostatus.status = status_success; IRP-> iostatus.information = 0L; IOCOMPLETEREQUEST (IRP, 0); Return IRP-> iostatus.status; } Void ProcessCreatemon (In Handle Hparentid, In Handle Pid, In Boolean Bcreate) { Peprocess EPROCESS; Ulong ulcurrentprocessid; LPTSTR LPCURPROC; NTSTATUS STATUS; Status = PslookupprocessByProcessId ((Ulong) PID, & EPROCESS; IF (! NT_Success (status)) { DBGPrint ("PslookupprocessByProcessId () / N"); Return; } IF (BCREATE) { LpCurProc = (LPTSTS) Eprocess; Lpcurproc = lpcurproc processnameoffset; DBGPrint ("CREATE Process = Process Name:% S, Process Parentid:% D, Process ID:) Address% x: / N", LPCurproc, HparentID, PID, EPROCESS; } Else { DBGPRINT ("Terminated == Process ID:% D / N", PID); } } Void Threadcreatemon (in Handle Pid, In Handle Tid, in Boolean Bcreate) { Peprocess EPROCESS; Ulong ulcurrentprocessid; LPTSTR LPCURPROC; NTSTATUS STATUS; Status = PslookupprocessByProcessId ((Ulong) PID, & EPROCESS; IF (! NT_Success (status)) { DBGPrint ("PslookupprocessByProcessId () / N"); Return; } IF (BCREATE) { LpCurProc = (LPTSTS) Eprocess; Lpcurproc = lpcurproc processnameoffset; DBGPRINT ("Create Thread = Process Name:% s Process ID:% D, Thread ID:% D / N", LPCurProc, PID, TID); } Else { DBGPRINT ("Terminated == Thread ID:% D / N", TID); } } Void ImageCreatemon (in Punicode_String FullimageName, In Handle Processid, In Pimage_Info ImageInfo) { DBGPrint ("FullimageName:% S, Process ID:% D / N", FullimageName-> Buffer, ProcessID; DBGPRINT ("ImageBase:% X, ImageSize:% D / N", ImageInfo-> ImageBase, ImageInfo-> Imagesize; } about Us: WSS (WhiteCell Security Systems), a non-profit private technology organization, dedicated to various system safety techniques. Adhere to the traditional Hacker spirit, pursue the pureness of technology. WSS Home: http://www.whitecell.org/
