vs设置:“项目-属性-链接器-命令行”位置添加 /INTEGRITYCHECK 即可,不然注册回调的时候会失败
参考:https://xiaodaozhi.com/kernel/18.html
#include <ntddk.h>
typedef NTSTATUS (*PPsSetCreateProcessNotifyRoutineEx)(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
_In_ BOOLEAN Remove
);
PPsSetCreateProcessNotifyRoutineEx pPsSetCreateProcessNotifyRoutineEx = NULL;
BOOLEAN bRegister = FALSE;
VOID CreateProcessNotifyEx(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
HANDLE hParentId = NULL;
HANDLE hParentThreadId = NULL;
HANDLE hCurrentThreadId = NULL;
hCurrentThreadId = PsGetCurrentThreadId();
if (CreateInfo == NULL){
DbgPrint("ProcessDestory ThreadID[%d]", hCurrentThreadId);
return;
}
hParentId = CreateInfo->CreatingThreadId.UniqueProcess;
hParentThreadId = CreateInfo->CreatingThreadId.UniqueThread;
DbgPrint("CreateProcess ParentID[%d] Name:%wZ", hParentId, CreateInfo->ImageFileName);
return;
}
NTSTATUS Unload(PDRIVER_OBJECT driver)
{
DbgPrint("unload driver");
if (bRegister && pPsSetCreateProcessNotifyRoutineEx){
pPsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx, TRUE);
bRegister = FALSE;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING RegPath)
{
DbgPrint("Driver Entry");
driver->DriverUnload = Unload;
do{
UNICODE_STRING uFunName = { 0 };
RtlInitUnicodeString(&uFunName, L"PsSetCreateProcessNotifyRoutineEx");
pPsSetCreateProcessNotifyRoutineEx = (PPsSetCreateProcessNotifyRoutineEx)MmGetSystemRoutineAddress(&uFunName);
if (pPsSetCreateProcessNotifyRoutineEx == NULL){
DbgPrint("GetSetCreateProcessNotif Failed");
break;
}
if (STATUS_SUCCESS != pPsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx, FALSE)){
DbgPrint("Register Process Notify Failed");
break;
}
bRegister = TRUE;
DbgPrint("Register Process Notify Success");
} while (FALSE);
return STATUS_SUCCESS;
}
1861
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
