Windows10 x64 Ring0实现进程创建监控

海鸥的诀别诗

已于 2023-03-25 11:29:46 修改

阅读量246

点赞数 1

分类专栏：底层 C\C++ 功能函数文章标签： c++ windows visual studio

于 2023-03-23 13:30:32 首次发布

本文链接：https://blog.csdn.net/zcy5157912/article/details/129728887

版权

C\C++ 功能函数同时被 2 个专栏收录

20 篇文章 0 订阅

订阅专栏

底层

9 篇文章 0 订阅

订阅专栏

#include<ntifs.h>
#include <ntddk.h>
#include <stdio.h>
#include <stdlib.h>
#include<windef.h>
#include <winapifamily.h> 
#include <ntimage.h>
#include<wdm.h>
//系统内置函数，声明后可直接使用
NTKERNELAPI PCHAR PsGetProcessImageFileName(PEPROCESS Process);
//绕过完整型签名检查，否则无法设置回调
BOOLEAN BypassCheckSign(PDRIVER_OBJECT pDriverObject)
{
#ifdef _WIN64
	typedef struct _KLDR_DATA_TABLE_ENTRY
	{
		LIST_ENTRY listEntry;
		ULONG64 __Undefined1;
		ULONG64 __Undefined2;
		ULONG64 __Undefined3;
		ULONG64 NonPagedDebugInfo;
		ULONG64 DllBase;
		ULONG64 EntryPoint;
		ULONG SizeOfImage;
		UNICODE_STRING path;
		UNICODE_STRING name;
		ULONG   Flags;
		USHORT  LoadCount;
		USHORT  __Undefined5;
		ULONG64 __Undefined6;
		ULONG   CheckSum;
		ULONG   __padding1;
		ULONG   TimeDateStamp;
		ULONG   __padding2;
	} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
#else
	typedef struct _KLDR_DATA_TABLE_ENTRY
	{
		LIST_ENTRY listEntry;
		ULONG unknown1;
		ULONG unknown2;
		ULONG unknown3;
		ULONG unknown4;
		ULONG unknown5;
		ULONG unknown6;
		ULONG unknown7;
		UNICODE_STRING path;
		UNICODE_STRING name;
		ULONG   Flags;
	} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
#endif

	PKLDR_DATA_TABLE_ENTRY pLdrData = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;
	pLdrData->Flags = pLdrData->Flags | 0x20;

	return TRUE;
}
VOID CreateProcessNotify(PEPROCESS Process,HANDLE ProcessId,PPS_CREATE_NOTIFY_INFO CreateInfo)
{
	PCHAR pszImageFileName = NULL;
	if (CreateInfo != NULL)//不为空代表进程创建
	{
	pszImageFileName = PsGetProcessImageFileName(Process);
	//DbgPrint("进程创建： %s %pid:",pszImageFileName,(ULONG64)ProcessId);
	//PsSetCreateProcessNotifyRoutineEx可以阻止进程的创建:
	if (strcmp(pszImageFileName, "calc.exe") == 0)
		{
			CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;//阻止创建并不弹窗
		}
	}
}
	
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath) {
	BypassCheckSign(DriverObject);
	NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotify, FALSE);
	//CreateProcessNotify为自定义的处理函数,后面的布尔值代表是否移除回调
	if (!NT_SUCCESS(status))
	{
		DbgPrint("回调函数设置失败, status=%X", status);
	}

	else
	{
		DbgPrint("进程监控已开启\r\n");
	}
	DriverObject->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

NTSTATUS DriverUnload(PDRIVER_OBJECT Driver) {
    //移除回调
	PsSetCreateProcessNotifyRoutineEx(CreateProcessNotify, TRUE);
	DbgPrint("Driver Unloading...\n");
	return STATUS_SUCCESS;
}