To kernel driver monitoring process developed in Windows8 create using Visual studio2012

最新推荐文章于 2017-02-10 08:44:00 发布
最新推荐文章于 2017-02-10 08:44:00 发布
阅读量4k 收藏
点赞数 1
分类专栏: VC++编程技术 Visual C++2010编程技术 Visual Studio 11开发专栏 Windows8开发专栏
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/itcastcpp/article/details/8705532
版权
In Windows NT, the 80386 protected mode "protection" is more robust than Windows 95, the "gilded cage" more solid, more difficult to break. In Windows 95, at least the application I / O operation is unrestricted, Windows NT application even this permission are deprived. Less likely to enter in the NT almost real ring0 layer.
In Windows NT, there are three Device Driver:
  1. "Virtual device Driver" (VDD). VDD, 16-bit applications, such as DOS and Win16 applications can access specific I / O ports (Note, not direct access, but to VDD to access).
  2. "GDI Driver", display and print the necessary GDI functions.
  3. "Kernel Mode Driver", the operation of specific hardware, for example, CreateFile, CloseHandle (file object), ReadFile, WriteFile, the DeviceIoControl other operations. "Kernel Mode Driver" Windows NT hardware interrupt and DMA operation Driver. SCSI port driver and NIC NDIS driver Kernel Mode Driver is a special form.
 
 
Visual studio2012 Windows8 bring new experience exceptionally different
 
1.Start Vs2012


2. Seen everywhere driven development template


3.Select a drive mode, there are two types of kernel mode and user mode driver


 
4 Create a driver, KMDF DriverMVP


 
We choose a kernel mode driver Below is created after the success of the interface are the driver, and the driver installation package


Press F5, select the drive compile
 




Insert the following code to the kernel process creation

#include "ProcMon.h"  
#include "../inc/ioctls.h"  
  
//  
//  
  
//  
//  
// 全局变量  
//  
  
PDEVICE_OBJECT  g_pDeviceObject;  
  
//  
//  
  
//  
//  
// 函数实现  
//  
  
NTSTATUS  
DriverEntry(  
    IN PDRIVER_OBJECT       DriverObject,  
    IN PUNICODE_STRING      RegistryPath  
)  
{  
    NTSTATUS            Status = STATUS_SUCCESS;      
    UNICODE_STRING      ntDeviceName;  
    UNICODE_STRING      dosDeviceName;  
    UNICODE_STRING      ProcessEventString;  
    PDEVICE_EXTENSION   deviceExtension;  
    PDEVICE_OBJECT      deviceObject = NULL;  
      
    KdPrint(("[ProcMon] DriverEntry: %wZ\n", RegistryPath));  
      
    //  
    // 创建设备对象  
    //  
    RtlInitUnicodeString(&ntDeviceName, PROCMON_DEVICE_NAME_W);  
      
    Status = IoCreateDevice(  
                        DriverObject,   
                        sizeof(DEVICE_EXTENSION),       // DeviceExtensionSize  
                        &ntDeviceName,                  // DeviceName  
                        FILE_DEVICE_PROCMON,            // DeviceType  
                        0,                              // DeviceCharacteristics  
                        TRUE,                           // Exclusive  
                        &deviceObject                   // [OUT]  
                        );  
  
    if(!NT_SUCCESS(Status))  
    {  
        KdPrint(("[ProcMon] IoCreateDevice Error Code = 0x%X\n", Status));  
          
        return Status;  
    }  
      
    //  
    // 设置扩展结构  
    //  
    deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;  
      
    //  
    // Set up synchronization objects, state info,, etc.  
    //  
    deviceObject->Flags |= DO_BUFFERED_IO;  
      
    //  
    // 创建符号链接  
    //  
    RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);  
      
    Status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);  
      
    if(!NT_SUCCESS(Status))  
    {  
        KdPrint(("[ProcMon] IoCreateSymbolicLink Error Code = 0x%X\n", Status));  
  
        IoDeleteDevice(deviceObject);  
          
        return Status;  
    }  
      
    //  
    // 分发IRP  
    //  
    DriverObject->MajorFunction[IRP_MJ_CREATE]           = ProcmonDispatchCreate;  
    DriverObject->MajorFunction[IRP_MJ_CLOSE]            = ProcmonDispatchClose;  
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]   = ProcmonDispatchDeviceControl;  
    DriverObject->DriverUnload                           = ProcmonUnload;  
      
    //  
    // 保存设备对象指针  
    //  
    g_pDeviceObject = deviceObject;  
  
    //  
    // 创建事件对象与应用层通信  
    //  
    RtlInitUnicodeString(&ProcessEventString, EVENT_NAME);  
      
    deviceExtension->ProcessEvent = IoCreateNotificationEvent(&ProcessEventString, &deviceExtension->hProcessHandle);  
    KeClearEvent(deviceExtension->ProcessEvent);         // 非受信状态  
  
    //  
    // 设置回调例程  
    //  
    Status = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);  
  
    return Status;  
}  
  
NTSTATUS  
ProcmonDispatchCreate(  
    IN PDEVICE_OBJECT       DeviceObject,  
    IN PIRP                 Irp  
)  
{  
    NTSTATUS Status = STATUS_SUCCESS;  
      
    Irp->IoStatus.Information = 0;  
      
    KdPrint(("[ProcMon] IRP_MJ_CREATE\n"));  
      
    Irp->IoStatus.Status = Status;  
    IoCompleteRequest(Irp, IO_NO_INCREMENT);  
      
    return Status;  
}  
  
NTSTATUS  
ProcmonDispatchClose(  
    IN PDEVICE_OBJECT       DeviceObject,  
    IN PIRP                 Irp  
)  
{  
    NTSTATUS Status = STATUS_SUCCESS;  
      
    Irp->IoStatus.Information = 0;  
      
    KdPrint(("[ProcMon] IRP_MJ_CLOSE\n"));  
      
    Irp->IoStatus.Status = Status;  
    IoCompleteRequest(Irp, IO_NO_INCREMENT);  
      
    return Status;  
}  
  
NTSTATUS  
ProcmonDispatchDeviceControl(  
    IN PDEVICE_OBJECT       DeviceObject,  
    IN PIRP                 Irp  
)  
{  
    NTSTATUS            Status = STATUS_SUCCESS;  
    PIO_STACK_LOCATION  irpStack;  
    PDEVICE_EXTENSION   deviceExtension;  
    ULONG               inBufLength, outBufLength;  
    ULONG               ioControlCode;  
    PCALLBACK_INFO      pCallbackInfo;  
      
    // 获取当前设备栈  
    irpStack = IoGetCurrentIrpStackLocation(Irp);  
    deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;  
      
    // 提取信息  
    pCallbackInfo = Irp->AssociatedIrp.SystemBuffer;  
    inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;  
    outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;  
    ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;  
  
    // 处理不同的IOCTL  
    switch (ioControlCode)  
    {  
    case IOCTL_PROC_MON:  
        {  
            KdPrint(("[ProcMon] IOCTL: 0x%X", ioControlCode));  
  
            if (outBufLength >= sizeof(PCALLBACK_INFO))  
            {  
                pCallbackInfo->hParentId = deviceExtension->hParentId;  
                pCallbackInfo->hProcessId = deviceExtension->hProcessId;  
                pCallbackInfo->bCreate = deviceExtension->bCreate;  
  
                Irp->IoStatus.Information = outBufLength;  
            }   
            break;  
        }  
          
    default:  
        {  
            Status = STATUS_INVALID_PARAMETER;  
            Irp->IoStatus.Information = 0;  
              
            KdPrint(("[ProcMon] Unknown IOCTL: 0x%X (%04X,%04X)", \  
                    ioControlCode, DEVICE_TYPE_FROM_CTL_CODE(ioControlCode), \  
                    IoGetFunctionCodeFromCtlCode(ioControlCode)));  
              
            break;  
        }  
    }  
      
    Irp->IoStatus.Status = Status;  
    IoCompleteRequest(Irp, IO_NO_INCREMENT);      
      
    return Status;  
}  
  
VOID  
ProcmonUnload(  
    IN PDRIVER_OBJECT       DriverObject  
)  
{  
    UNICODE_STRING dosDeviceName;  
      
    //  
    // Free any resources  
    //  
  
    // 卸载回调例程  
    PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);  
      
    //  
    // Delete the symbolic link  
    //  
      
    RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);  
      
    IoDeleteSymbolicLink(&dosDeviceName);  
      
    //  
    // Delete the device object  
    //  
      
    IoDeleteDevice(DriverObject->DeviceObject);  
      
    KdPrint(("[ProcMon] Unloaded"));  
}  
  
VOID  
ProcessCallback(  
    IN HANDLE               ParentId,           // 父进程ID  
    IN HANDLE               ProcessId,          // 发生事件的进程ID  
    IN BOOLEAN              Create              // 进程是创建还是终止  
)  
{  
    PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)g_pDeviceObject->DeviceExtension;  
  
    deviceExtension->hParentId = ParentId;  
    deviceExtension->hProcessId = ProcessId;  
    deviceExtension->bCreate = Create;  
  
    // 触发事件,通知应用程序  
    KeSetEvent(deviceExtension->ProcessEvent, 0, FALSE);  
    KeClearEvent(deviceExtension->ProcessEvent);  
}


ring3 application layer calls to get the monitoring process creation


#include "windows.h"  
#include "winioctl.h"  
#include "stdio.h"  
#include "../inc/ioctls.h"  
  
#define SYMBOL_LINK "\\\\.\\ProcMon"  
//#define SYMBOL_LINK "\\\\.\\slNTProcDrv"  
  
int main()  
{  
    CALLBACK_INFO cbkinfo, cbktemp = {0};  
  
    // 打开驱动设备对象  
    HANDLE hDriver = ::CreateFile(  
                            SYMBOL_LINK,  
                            GENERIC_READ | GENERIC_WRITE,  
                            0,  
                            NULL,  
                            OPEN_EXISTING,  
                            FILE_ATTRIBUTE_NORMAL,  
                            NULL);  
    if (hDriver == INVALID_HANDLE_VALUE)  
    {  
        printf("打开驱动设备对象失败!\n");  
  
        return -1;  
    }  
      
    // 打开内核事件对象  
    HANDLE hProcessEvent = ::OpenEventW(SYNCHRONIZE, FALSE, EVENT_NAME);  
  
    while (::WaitForSingleObject(hProcessEvent, INFINITE))  
    {  
        DWORD   dwRet;  
        BOOL    bRet;  
  
        bRet = ::DeviceIoControl(  
                            hDriver,  
                            IOCTL_PROC_MON,  
                            NULL,  
                            0,  
                            &cbkinfo,  
                            sizeof(cbkinfo),  
                            &dwRet,  
                            NULL);  
  
        if (bRet)  
        {  
            if (cbkinfo.hParentId != cbktemp.hParentId || \  
                cbkinfo.hProcessId != cbktemp.hProcessId || \  
                cbkinfo.bCreate != cbktemp.bCreate)  
            {  
                if (cbkinfo.bCreate)  
                {  
                    printf("有进程被创建,PID = %d\n", cbkinfo.hProcessId);  
                }   
                else  
                {  
                    printf("有进程被终止,PID = %d\n", cbkinfo.hProcessId);  
                }  
  
                cbktemp = cbkinfo;  
            }  
        }   
        else  
        {  
            printf("\n获取进程信息失败!\n");  
            break;  
        }  
    }  
  
    ::CloseHandle(hDriver);  
  
    return 0;  
}



尹成
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
terminate-kernel-process.zip_Driver_The Process_virus
09-14
The source code of the program, showing an example of forced completion of all processes, including anti-virus Kaspersky, Agnitum, etc., using the driver PsTerminateProcess feature in Windows 2000, ...
Moving to Windows Vista x64
tweeger的专栏
02-16 2960
原文地址:http://www.codeproject.com/KB/vista/vista_x64.aspx Contents Introductionx64 Sectionx64 Assembly C/C++ Programming Inline Assembly Windows On Windows File System And Regist
Moving to Windows Vista x64(codeproject)
staryy的专栏
07-25 2618
Moving to Windows Vista x64 By Daniel Pistelli. An article about x64 and Windows Vista. GenericWindo
Microsoft Windows Vista Security Advancements
网络 人生 学习 进步
12-26 2884
Introduction In just three decades, the software that runs personal computers and digital devices has transformed the way millions of people around the globe work, communicate and enjoy their free
64位Windows 移植须知
Tommy(凌飞)的专栏
11-26 9142
<!-- INTRODUCTION The Code Project article submission template (HTML version)Using this template will help us post your article sooner
Professional C# 6 and .NET Core 1.0 - Chapter 39 Windows Services
weixin_30402343的博客
02-10 286
本文内容为转载,供学习研究。如有侵权,请联系作者删除。 转载请注明本文出处:Professional C# 6 and .NET Core 1.0 - Chapter39 Windows Services ----------------------------------------------------------------------- What’s In This Chap...
An Introduction to Virtualization - 介绍虚拟化比较好的文章,稍微有点老
木马屠城
06-28 2593
An Introduction to Virtualization © Amit Singh. All Rights Reserved http://www.kernelthread.com/publications/virtualization/ It's hot. Yet again. Microsoft acquired Connectix Corpo
远程管理
jianyi7659的专栏
12-18 2200
<br />远程管理是指一种从远程来管理本地计算机的方法。<br />远程管理软件是现在越来越常见了,它通常被用作为管理那些直接接触或物理接触有困难的系统。远程可能是相对于一台计算机的所在房间的隔壁房间或者在地球的另一侧的某个地方。远程管理也能是合法的或者非法的管理。<br /><br />本文中,我将提出的许多实现它的结构和其功能的小例子。因此,让我们跳过不必要的故事,直接进入主题。<br />引进和先决条件<br />要理解关于将在这里讨论问题整个事情,你需要一些基本知识:<br />•Linux和Wi
【转】Can you find me now? - Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS
live then work
02-09 1076
10/[email protected]. AbstractIn August 2008 Verizon Wireless released a firmware upgrade for their xv6800(rebranded HTC Titan) line of Windows Mobile sm
CV的一些代码
baozi3026的专栏
01-05 7480
before a link means the link points to a binary file, not a readable page) Research Code A rational methodology for lossy compression - REWIC is a software-based implementation of a a rational
windows-kernel-a-driver-model.rar_kernel windows
09-21
windows 内核与驱动编程模型,win2000未公开的资料
Introduction to Linux kernel driver programming
01-07
A new device driver model has been designed and developed for the 2.5 version of the Linux Kernel. Linux Driver开发必看。
Windows-Kernel-Explorer:免费但功能强大的Windows内核研究工具
02-06
Windows-Kernel-Explorer:免费但功能强大的Windows内核研究工具
linux kernel driver
05-22
linux kernel driver 框架介绍,进行linux driver 开发必备资料
在平板电脑与移动3G大爆炸的时代,昔日霸主微软的反击
热门推荐
尹成的技术博客
06-02 1万+
在Android已经如日中天的时刻,在苹果的市值超过微软的时刻,微软已经意识到错过了未来,但是微软不会坐以待毙,犹如三国争霸的时代,云计算微软投入重兵,但是移动3G,微软会放弃吗?       微软的对抗战略如下     Windows 8 是由微软公司开发的,具有革命性变化的操作系统。该系统旨在让人们的日常电脑操作更加简单和快捷,为人们提供高效易行的工作环境。Windows8将支持来自Intel
Visual C++2010开发权威指南》版权输出台湾香港新加坡---大陆C++超越并引领台湾
尹成的技术博客
08-26 1万+
CSDN著名技术专家著作-《Visual C++2010开发权威指南》版权输出台湾香港新加坡 大陆购买地址http://product.china-pub.com/196957 台湾购买地址http://www.iread.com.tw/ProdDetails.aspx?prodid=B000157497 微软公司新一代的开发工具Visual C++ 2010在C++开发方面带来了很多革命性的变化
Windows8内核模式下开发NDIS应用-NDIS Filter讲解
尹成的技术博客
07-16 9881
在Win8系统下开发驱动程序,需要数字证书,还需要驱动签名认证。不能像XP下面那样疯狂滴耍流氓了。 由于Win8系统的内核做了大幅度的修改,它和XP系统的内核起了很大的变化,最显著的就是刚才说的:需要签名和证书。  还有就是:不能随意的HOOK SSDT了。在开发NDIS驱动程序的时候,WDK开发包提供了一个新的框架,叫着NDIS FilterNDIS Filter是一个例子工程。假入我把WDK安
Windows8开发指南(3)Windows8开发工具
尹成的技术博客
01-15 8941
Windows 8基于Windows7,同时微软对其进行了性能、安全、隐私、系统可靠性等方面的改进。在硬件需求方面,Windows8与Windows7完全一样。之前也提到,除了x86和x64架构,Windows 8增加了ARM片上系统的支持。连接性与Wi-Fi和移动宽带Windows8会自动选择信号较好的网络来进行连接,也允许应用来控制自己的带宽占用。在有流量限制的网络下,Windows8会自动阻
windowskernelmodedriver10.0 下载
最新发布
12-08
Windows Kernel Mode Driver 10.0 是微软推出的一款用于 Windows 操作系统的内核模式驱动程序。它是操作系统的关键组成部分,负责与硬件设备进行通信和控制。 下载 Windows Kernel Mode Driver 10.0 可以通过微软官方网站或者 Windows Update 进行。 在微软官方网站上,可以找到相关的驱动程序下载页面。在该页面上,用户可以选择适用于自己的操作系统版本的驱动程序,并下载到本地计算机中。在下载之前,用户需要确定自己的操作系统版本,并确保下载的驱动程序与其兼容。 另外,Windows Update 也提供了更新和下载 Windows Kernel Mode Driver 10.0 的功能。用户可以打开 Windows Update 设置页面,检查更新,并选择下载和安装适用于自己的系统的驱动程序。Windows Update 会自动搜索并提供最新的驱动程序。 下载完成后,用户可以将驱动程序安装到自己的计算机中。安装过程中,需要遵循驱动程序提供的安装指南,按照提示完成安装。安装完成后,计算机将能够正确识别和使用相关硬件设备,以确保系统的正常运行。 需要注意的是,下载和安装 Windows Kernel Mode Driver 10.0 时,应当选择可信的渠道和官方源。避免从非官方或不受信任的第三方网站下载和安装驱动程序,以免带来安全风险和系统兼容性问题。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

尹成

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值