用timer监控进程信息var lppe:TProcessEntry32; found:boolean; Hand :THandle; begin Hand := CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); found:= Process32First(Hand,lppe); while found do begin ListBox1.Items.Add(StrPas(lppe.szExeFile)); found:= Process32Next(Hand,lppe); end; end;
用timer监控进程信息var lppe:TProcessEntry32;
found:boolean;
Hand :THandle;
begin
Hand := CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
found:= Process32First(Hand,lppe);
while found do
begin
ListBox1.Items.Add(StrPas(lppe.szExeFile));
found:= Process32Next(Hand,lppe);
end;
end;
这个时候是不是应该hook Shell啊?
那怎么Hook Shell呢?
右键打开文件的时候,和双击打开没区别,都是NtCreatProcess调用的,hook shell没听说过,孤陋寡闻了……
但是比如一个文本文件,我右键用Editplus打开的时候,就捕捉不到。
//
// Includes
//
//---------------------------------------------------------------------------
#include <ntddk.h>
#include <string.h>//---------------------------------------------------------------------------
//
// Defines
//
//---------------------------------------------------------------------------#define MAX_PATH 260#define WIN2K_EPROCESS_NAMEOFFSET 0x1fc //2k
#define WINXP_EPROCESS_NAMEOFFSET 0x174 //xp
#define WIN2K3_EPROCESS_NAMEOFFSET 0x154 //2k3
void UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
typedef struct _DEVICE_EXTENSION
{
HANDLE hProcessId;
HANDLE hParentId;
BOOLEAN bCreate;
UCHAR uProcessName[MAX_PATH];
UCHAR uParentName[MAX_PATH];
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
// 头文件
//#include "Drivers.h"
#include "..\Include\IoControl.h"//
// 全局变量
//
PVOID gpEventObject = NULL; //事件
PDEVICE_OBJECT gpDeviceObject = NULL; //
//
// PsSetCreateProcessNotifyRoutine函数的回调函数,得到进程句柄
//
VOID ProcessCallback(IN HANDLE hParentId, IN HANDLE hProcessId, IN BOOLEAN bCreate) {
PEPROCESS eProcess;
LPTSTR uProcName;
NTSTATUS status;
PDEVICE_EXTENSION extension = (PDEVICE_EXTENSION)gpDeviceObject->DeviceExtension;
RTL_OSVERSIONINFOEXW rtlOSInfo;
ULONG uProcNameOffset;
//这里需要根据不同的操作系统版本得到PE的EPROCESS结构中进程名的地址偏移
rtlOSInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
status = RtlGetVersion((RTL_OSVERSIONINFOW*)&rtlOSInfo);
if(!NT_SUCCESS(status)) {
DbgPrint("RtlGetVersion failed!\n");
return;
}
DbgPrint("rtlOSInfo.dwBuildNumber == %d\n", rtlOSInfo.dwBuildNumber);
switch(rtlOSInfo.dwBuildNumber) {
case 2195: { //2000 2195未测试
uProcNameOffset = WIN2K_EPROCESS_NAMEOFFSET;
} break;
case 2600: { //XP
uProcNameOffset = WINXP_EPROCESS_NAMEOFFSET;
} break;
case 3790: { //2003 3790未测试
uProcNameOffset = WIN2K3_EPROCESS_NAMEOFFSET;
} break;
default: uProcNameOffset = 0;
} //得到当前创建的进程信息
status = PsLookupProcessByProcessId((ULONG)hProcessId, &eProcess);
if(!NT_SUCCESS(status)) {
DbgPrint("PsLookupProcessByProcessId failed!\n");
return;
}
uProcName = (LPTSTR)eProcess + uProcNameOffset;
strcpy(extension->uProcessName, uProcName);
//得到当前创建的父进程信息
status = PsLookupProcessByProcessId((ULONG)hParentId, &eProcess);
if(!NT_SUCCESS(status)) {
DbgPrint("PsLookupProcessByProcessId failed!\n");
return;
}
uProcName = (LPTSTR)eProcess + uProcNameOffset;
strcpy(extension->uParentName, uProcName);
extension->hParentId = hParentId;
extension->hProcessId = hProcessId;
extension->bCreate = bCreate; KeSetEvent(gpEventObject, 0, FALSE);
KeClearEvent(gpEventObject);
}//
// PsSetLoadImageNotifyRoutine 函数的回调函数,得到进程相关信息
//
VOID ImageCallBack(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo) {
UNICODE_STRING strImageName; strImageName.Buffer = ExAllocatePoolWithTag(NonPagedPool, FullImageName->Length + 1, ' rtS');
strImageName.MaximumLength = FullImageName->Length + 1;
strImageName.Length = 0;
RtlCopyUnicodeString(&strImageName, FullImageName);
DbgPrint("strImageName: %S,Process ID: %d\n",strImageName.Buffer, ProcessId);
ExFreePool(strImageName.Buffer);
strImageName.MaximumLength = 0;
strImageName.Length = 0;
}//
// PsSetCreateThreadNotifyRoutine 函数的回调函数,得到线程相关信息
//
VOID ThreadCallBack(IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create) {
PEPROCESS eProcess;
LPTSTR uProcName;
NTSTATUS status;
RTL_OSVERSIONINFOEXW rtlOSInfo;
ULONG uProcNameOffset;
//去掉System进程,不然调试信息像下雨
if(4 == (ULONG)ProcessId) return;
//这里需要根据不同的操作系统版本得到PE的EPROCESS结构中进程名的地址偏移
rtlOSInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
status = RtlGetVersion((RTL_OSVERSIONINFOW*)&rtlOSInfo);
if(!NT_SUCCESS(status)) {
DbgPrint("RtlGetVersion failed!\n");
return;
}
switch(rtlOSInfo.dwBuildNumber) {
case 2195: { //2000 2195未测试
uProcNameOffset = WIN2K_EPROCESS_NAMEOFFSET;
} break;
case 2600: { //XP
uProcNameOffset = WINXP_EPROCESS_NAMEOFFSET;
} break;
case 3790: { //2003 3790未测试
uProcNameOffset = WIN2K3_EPROCESS_NAMEOFFSET;
} break;
default: uProcNameOffset = 0;
} //得到当前创建的进程信息
status = PsLookupProcessByProcessId((ULONG)ProcessId, &eProcess);
if(!NT_SUCCESS(status)) {
DbgPrint("PsLookupProcessByProcessId failed!\n");
return;
}
uProcName = (LPTSTR)eProcess + uProcNameOffset;
DbgPrint("ProcessName == %s \t ProcessId == %d \t ThreadId == %d \t ThreadState == %s\n",
uProcName, ProcessId, ThreadId, Create ? "Create" : "Destroy");
}
//
// 驱动程序入口
//
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
//回调函数事件
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
//初始化驱动名和符号名
RtlInitUnicodeString(&uszDeviceString, COMM_DRIVER_WIN32_DEV_NAME);
RtlInitUnicodeString(&uszDriverString, COMM_DRIVER_DEV_NAME); //打开一个通讯对象
status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE, //FALSE
&DriverObject->DeviceObject
);
if(status != STATUS_SUCCESS) {
DbgPrint("IoCreateDevice failed\n");
return status;
}
status = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(status != STATUS_SUCCESS) {
DbgPrint("IoCreateSymbolicLink failed\n");
return status;
}
//把DriverObject的DeviceObject对象给全局变量
gpDeviceObject = DriverObject->DeviceObject;
DbgPrint("DriverEntry\n"); return status;
}//
// 打开或者关闭事件
//
NTSTATUS DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
DbgPrint("DispatchCreateClose\n");
return STATUS_SUCCESS;
}
// 对用户模式或内核模式客户程序可用的控制操作
//
NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
NTSTATUS status = STATUS_SUCCESS;
ULONG controlCode;
PIO_STACK_LOCATION irpStack;
HANDLE hEvent;
OBJECT_HANDLE_INFORMATION objHandleInfo;
PDEVICE_EXTENSION outBuf;
PDEVICE_EXTENSION extension; irpStack = IoGetCurrentIrpStackLocation(Irp);
controlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch(controlCode) {
//建立驱动(建立对用户程序的响应)
case IO_REFERENCE_EVENT: {
hEvent = (HANDLE)irpStack->Parameters.DeviceIoControl.Type3InputBuffer;
status = ObReferenceObjectByHandle(
hEvent,
GENERIC_ALL,
NULL,
KernelMode,
&gpEventObject,
&objHandleInfo
);
if(status != STATUS_SUCCESS) {
DbgPrint("ObReferenceObjectByHandle failed! status = %x\n", status);
break;
}
DbgPrint("Referenct object sussfully!\n");
} break;
//关闭驱动(关闭对用户程序的响应)
case IO_DEREFERENCE_EVENT: {
if(gpEventObject) ObDereferenceObject(gpEventObject);
DbgPrint("Dereferenct object sussfully!\n");
} break;
//设置事件信号,用户程序响应该事件
case IO_SET_EVENT: {
//KeSetEvent(gpEventObject,
// 0,
// FALSE
//);
//开始进程监控
status = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
if(!NT_SUCCESS(status)) {
DbgPrint("PsSetCreateProcessNotifyRoutine failed!\n");
}
//开始进程镜像监控
status = PsSetLoadImageNotifyRoutine(ImageCallBack);
if(!NT_SUCCESS(status)) {
DbgPrint("PsSetLoadImageNotifyRoutine failed!\n");
}
//开始线程监控
status = PsSetCreateThreadNotifyRoutine(ThreadCallBack);
if(!NT_SUCCESS(status)) {
DbgPrint("PsSetCreateThreadNotifyRoutine failed!\n");
}
DbgPrint("KeSetEvent sussfully!\n");
} break; //清除事件信号
case IO_CLEAR_EVENT: {
//KeClearEvent(gpEventObject); //停止进程监控
status = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
if(!NT_SUCCESS(status)) {
DbgPrint("PsSetCreateProcessNotifyRoutine failed!\n");
}
//停止进程镜像监控
PsRemoveLoadImageNotifyRoutine(ImageCallBack);
if(!NT_SUCCESS(status)) {
DbgPrint("PsRemoveLoadImageNotifyRoutine failed!\n");
}
//停止线程监控
status = PsRemoveCreateThreadNotifyRoutine(ThreadCallBack);
if(!NT_SUCCESS(status)) {
DbgPrint("PsRemoveCreateThreadNotifyRoutine failed!\n");
}
DbgPrint("KeClearEvent sussfully!\n");
} break;
//查看当前事件状态
case IO_QUERY_EVENT_STATE: {
//DbgPrint("in KeReadStateEvent !\n");
//outBuf = (LONG*) Irp->UserBuffer;
//*outBuf = KeReadStateEvent(gpEventObject);
//DbgPrint("KeReadStateEvent sussfully!\n");
//
//Irp->IoStatus.Status = STATUS_SUCCESS;
//Irp->IoStatus.Information = sizeof(LONG);
//IoCompleteRequest(Irp, IO_NO_INCREMENT);
//return status;
if (irpStack->Parameters.DeviceIoControl.OutputBufferLength != 0) {
extension = DeviceObject->DeviceExtension;
outBuf = Irp->UserBuffer;
outBuf->hProcessId = extension->hProcessId;
outBuf->hParentId = extension->hParentId;
outBuf->bCreate = extension->bCreate;
strcpy(outBuf->uProcessName, extension->uProcessName);
strcpy(outBuf->uParentName, extension->uParentName);
status = STATUS_SUCCESS;
}
} break;
//默认跳出
default:
break;
}
if(status == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status;
}//
// 驱动卸载事件
//
void UnloadDriver(IN PDRIVER_OBJECT DriverObject) {
UNICODE_STRING uszDeviceString; IoDeleteDevice(DriverObject->DeviceObject); RtlInitUnicodeString(&uszDeviceString, COMM_DRIVER_WIN32_DEV_NAME);
IoDeleteSymbolicLink(&uszDeviceString);
DbgPrint("UnloadDriver\n");
}//------------------------------------------------------------------------------