七、回调
7.1.进程回调
DriverMain.c
#include <ntifs.h>
PUCHAR PsGetProcessImageFileName(PEPROCESS Process);
//创建进程回调函数
VOID CreateProcessListen(
_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
)
{
PEPROCESS Process = NULL;
NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
if (!NT_SUCCESS(status))
{
return;
}
//创建进程
if (Create)
{
DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
}
else
{
DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
}
ObDereferenceObject(Process);
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);
DbgPrint("卸载驱动\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
//创建进程回调
PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}修改PspNotifyEnableMask为00000009,创建和退出进程时就不会触发回调
kd> dd PspNotifyEnableMask
83f4c838 0000000b 00000000 8ad0e54f 00000000
83f4c848 00000000 00000000 00000000 00000000
83f4c858 00000000 00000000 00000000 00000000
83f4c868 00000000 00000000 00000000 00000000
83f4c878 00000000 00000000 00000000 00000000
83f4c888 00000000 00000000 00000000 00000000
83f4c898 00000000 00000000 00000000 00000000
83f4c8a8 00000000 00000000 00000000 00000000
kd> ed 83f4c838 00000009
kd> g7.2.线程回调
DriverMain.c
#include <ntifs.h>
PUCHAR PsGetProcessImageFileName(PEPROCESS Process);
VOID CreateProcessListen(
_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
)
{
PEPROCESS Process = NULL;
NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
if (!NT_SUCCESS(status))
{
return;
}
//创建进程
if (Create)
{
DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
}
else
{
DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
}
ObDereferenceObject(Process);
}
VOID createThreadListen(
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create
)
{
if (Create)
{
DbgPrintEx(77, 0, "[db]线程创建了\r\n");
}
else
{
DbgPrintEx(77, 0, "[db]线程结束了\r\n");
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
//PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);
PsRemoveCreateThreadNotifyRoutine(createThreadListen);
DbgPrint("卸载驱动\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
//PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);
PsSetCreateThreadNotifyRoutine(createThreadListen);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}修改PspNotifyEnableMask为00000007,创建和退出线程时就不会触发回调
7.3.模块回调
DriverMain.c
#include <ntifs.h>
PUCHAR PsGetProcessImageFileName(PEPROCESS Process);
VOID CreateProcessListen(
_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
)
{
PEPROCESS Process = NULL;
NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
if (!NT_SUCCESS(status))
{
return;
}
//创建进程
if (Create)
{
DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
}
else
{
DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
}
ObDereferenceObject(Process);
}
VOID createThreadListen(
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create
)
{
if (Create)
{
DbgPrintEx(77, 0, "[db]线程创建了\r\n");
}
else
{
DbgPrintEx(77, 0, "[db]线程结束了\r\n");
}
}
VOID LoadImageListen(
_In_opt_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId, // pid into which image is being mapped
_In_ PIMAGE_INFO ImageInfo
)
{
if (ImageInfo->SystemModeImage)
{
DbgPrintEx(77, 0, "[db]驱动模块: %wZ\r\n", FullImageName);
}
else
{
DbgPrintEx(77, 0, "[db]普通DLL: %wZ\r\n", FullImageName);
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
//PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);
//PsRemoveCreateThreadNotifyRoutine(createThreadListen);
PsRemoveLoadImageNotifyRoutine(LoadImageListen);
DbgPrint("卸载驱动\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
//PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);
//PsSetCreateThreadNotifyRoutine(createThreadListen);
PsSetLoadImageNotifyRoutine(LoadImageListen);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}_IMAGE_INFO结构体
typedef struct _IMAGE_INFO {
union {
ULONG Properties;
struct {
ULONG ImageAddressingMode : 8; // Code addressing mode
ULONG SystemModeImage : 1; // System mode image
ULONG ImageMappedToAllPids : 1; // Image mapped into all processes
ULONG ExtendedInfoPresent : 1; // IMAGE_INFO_EX available
ULONG MachineTypeMismatch : 1; // Architecture type mismatch
ULONG ImageSignatureLevel : 4; // Signature level
ULONG ImageSignatureType : 3; // Signature type
ULONG ImagePartialMap : 1; // Nonzero if entire image is not mapped
ULONG Reserved : 12;
};
};
PVOID ImageBase;
ULONG ImageSelector;
SIZE_T ImageSize;
ULONG ImageSectionNumber;
} IMAGE_INFO, *PIMAGE_INFO;修改PspNotifyEnableMask为0000000e,就不会触发模块回调
posted on 2022-09-18 23:35 zhang_derek 阅读(217) 评论(0) 编辑 收藏 举报
