windows 64位 系統非HOOK方式監控進程創建
阿新 • • 發佈:2017-10-03
mman log syntax typedef pan set parameter logs hand
); points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.
以下內容參考黑客防線2012合訂本354頁
MSDN 原話:
The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.
NTSTATUS
PsSetCreateProcessNotifyRoutineEx(
IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
IN BOOLEAN Remove
);
可以通過這個函數註冊一個回調函數監控進程創建. 比hook方便很多.
對於CreateProcessNotifyEx:
VOID
CreateProcessNotifyEx(
__inout PEPROCESS Process,
__in HANDLE ProcessId,
__in_opt PPS_CREATE_NOTIFY_INFO CreateInfo
);
其中CreateInfo是
If this parameter is non-NULL, a new process is being created, and CreateInfo
空的時候表示進程退出, 非空時表示進程創建.並且裏面:
typedef struct _PS_CREATE_NOTIFY_INFO { __in SIZE_T Size; union { __in ULONG Flags; struct { __in ULONG FileOpenNameAvailable :1; __in ULONG Reserved : 31; }; }; __in HANDLE ParentProcessId; //創建者pid __in CLIENT_ID CreatingThreadId; __inout struct _FILE_OBJECT *FileObject; __in PCUNICODE_STRING ImageFileName;//被創建進程完整路徑 __in_opt PCUNICODE_STRING CommandLine; __inout NTSTATUS CreationStatus; //修改為錯誤的status禁止創建進程 } PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO;
測試結果:
附上大佬的代碼 (自己加了一些註釋):
//下面2個函數聲明後就能用 NTKERNELAPI PCHAR PsGetProcessImageFileName(PEPROCESS Process); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process); PCHAR GetProcessNameByProcessId(HANDLE ProcessId) { NTSTATUS st = STATUS_UNSUCCESSFUL; PEPROCESS ProcessObj = NULL; PCHAR string = NULL; st = PsLookupProcessByProcessId(ProcessId, &ProcessObj); if (NT_SUCCESS(st)) { string = PsGetProcessImageFileName(ProcessObj); ObfDereferenceObject(ProcessObj); } return string; } VOID NotifyCreateProcess( __inout PEPROCESS Process,//如果是創建(退出),則是被創建(退出)進程的exe名(不包括完整路徑) __in HANDLE ProcessId,//如果是創建(退出)進程,則是被創建(退出)進程的pid __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo//如果是創建進程,則裏面包含被創建進程完整路徑名 ) { if (CreateInfo) { // DbgPrint("param ProcessId is %d\n", ProcessId); //被創建進程id // DbgPrint("param Process is %s\n", PsGetProcessImageFileName(Process)); DbgPrint("%s of who the pid is %d create process %wZ\n", GetProcessNameByProcessId(CreateInfo->ParentProcessId), CreateInfo->ParentProcessId, CreateInfo->ImageFileName); if (_stricmp("calc.exe", PsGetProcessImageFileName(Process)) == 0) { DbgPrint("forbidding start calc.exe!\n"); CreateInfo->CreationStatus = STATUS_ACCESS_DENIED; } } else { DbgPrint("process %s exit\n", PsGetProcessImageFileName(Process)); } }
windows 64位 系統非HOOK方式監控進程創建