监控系统所有进程的创建和销毁 (PsSetCreateProcessNotifyRoutine)_进程创建 create 暂停 pause 、resume 恢复、退出 quit 、销毁 dest-CSDN博客

本文链接：https://blog.csdn.net/tyong/article/details/6417241

本文介绍了一个使用驱动方式实现的Windows系统监控程序，能够完整捕获所有进程的创建和销毁。通过驱动技术，结合`PsSetCreateProcessNotifyRoutine`回调函数，实现实时监控。代码中包含了驱动加载、卸载、IOCTL控制以及进程信息的存储和获取。

摘要由CSDN通过智能技术生成

使用驱动方式，在原来的ProcObsrv.c基础上进行了完善，所有进程的创建和销毁都不会丢失，能完全捕获到。

具体代码如下：

//---------------------------------------------------------------------------
//
// ProcObsrv.c
//
// SUBSYSTEM:
//    System monitor
// MODULE:
//    Driver for monitoring NT process and DLLs mapping
//              monitoring.
//
// DESCRIPTION:
//              This code is based on the James Finnegan抯 sample
//              (MSJ January 1999).
//
// Ivo Ivanov, January 2002
//
//---------------------------------------------------------------------------

//---------------------------------------------------------------------------
//
// Includes
//
//---------------------------------------------------------------------------
#include <ntddk.h>

//---------------------------------------------------------------------------
//
// Defines
//
//---------------------------------------------------------------------------

#define FILE_DEVICE_UNKNOWN             0x00000022
#define IOCTL_UNKNOWN_BASE              FILE_DEVICE_UNKNOWN
#define IOCTL_PROCOBSRV_ACTIVATE_MONITORING    /
CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#define IOCTL_PROCOBSRV_GET_PROCINFO    /
CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
//---------------------------------------------------------------------------
//
// Forward declaration
//
//---------------------------------------------------------------------------
void UnloadDriver(
PDRIVER_OBJECT DriverObject
);
NTSTATUS DispatchCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS DispatchIoctl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
//
// Process function callback
//
VOID ProcessCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate
);
//
// Structure for holding info about activating/deactivating the driver
//
typedef struct _ActivateInfo
{
    BOOLEAN bActivated;
} ACTIVATE_INFO, *PACTIVATE_INFO;

//
// Structure for process callback information
//
typedef struct _ProcessCallbackInfo
{
    HANDLE hParentId;
    HANDLE hProcessId;
    BOOLEAN bCreate;
} PROCESS_CALLBACK_INFO, *PPROCESS_CALLBACK_INFO;

//
// Private storage for process retreiving
//
typedef struct _DEVICE_EXTENSION
{
    PDEVICE_OBJECT DeviceObject;
//
// Shared section
//
    HANDLE hProcessId;
//
// Process section data
//
    PKEVENT ProcessEvent;
    HANDLE hParentId;
    BOOLEAN bCreate;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;