Process thread creation and exit monitoring (DbgView printing)

Once thought to do a self-defense project, that is, monitoring, to achieve RING3 communication, all parties reference to learn, think of hooks

But once I know the way of the hook, I feel it's convenient or Microsoft admits the function, then I will implement a set of monitoring scheme, considering the reverse analysis, prepare the back

There is nothing free to go as far as possible to achieve the hook way, hope all smooth, less blue screen several times. Thank you, Mr. Hu Tutorial Guide!

Here is the code and note: the implementation is to monitor the process thread creation exit, if Calc is created block creation (W7 64 bit through)

Among the notes are:

Process monitoring functions

Pssetcreateprocessnotifyroutineex (MSDN can be found). The prototype for this function is:

NTSTATUS Pssetcreateprocessnotifyroutineex ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX Notifyroutine, __in BOOLEAN Remove );

Next note the prototype of the callback function Notifyroutine:

VOID Createprocessnotifyex ( __inout peprocess process, //new processes Eprocess __in HANDLE ProcessId, //new process PID __in_opt pps_create_notify_info createinfo //New process details (only valid when the process is created) );

Next look at the definition of the PS_CREATE_NOTIFY_INFO structure:

typedef struct _PS_CREATE_NOTIFY_INFO { size_t Size; Union { ULONG Flags; struct { ULONG fileopennameavailable:1; ULONG reserved:31; }; }; HANDLE Parentprocessid; client_id Creatingthreadid; struct _file_object *fileobject; Pcunicode_string Imagefilename; Pcunicode_string CommandLine; NTSTATUS Creationstatus; } ps_create_notify_info, *pps_create_notify_info;

Parent process ID, parent line ID
Even directly including the path to the program (without FileObject, the path is directly contained in the
imagefilename) and command-line arguments!

The most urgent thing is that if you want to block process creation, directly
The creationstatus member of this struct is changed to status_unsuccessful

Thread monitoring functions:

Ntkernelapi
NTSTATUS
Pssetcreatethreadnotifyroutine (
_in_ Pcreate_thread_notify_routine Notifyroutine
); (MSDN Available )

His callback function is as follows:

typedef
VOID
(*pcreate_thread_notify_routine) (
_in_ HANDLE ProcessId,
_in_ HANDLE ThreadId,
_in_ BOOLEAN Create
);

This makes it easy to see the process thread ID (handle). And the third Boolean indicates whether the creation succeeds or not is a yes or no selection.

Here is the test code

ProcessDrv.h:

#include <ntddk.h>

#define DPRINTF Dbgprint
#defineDEVICE_NAMEL "\\Device\\monitor_create_process_x64"
#define Link_namel "\\DosDevices\\monitor_create_process_x64"
#define Link_global_namel "\\DosDevices\\Global\\monitor_create_process_x64"

ProcessNotify.h
Ntkernelapi PCHAR psgetprocessimagefilename (peprocess Process);
Ntkernelapi NTSTATUS Pslookupprocessbyprocessid (HANDLE ProcessId, peprocess *process);

PCHAR Getprocessnamebyprocessid (HANDLE ProcessId)
{
NTSTATUS status=status_unsuccessful;
Peprocess Processobj=null;
PCHAR Stringname =null;

Status = Pslookupprocessbyprocessid (ProcessId, &processobj);
if (nt_success (Status))
{
Stringname = Psgetprocessimagefilename (processobj);
Obfdereferenceobject (processobj);//eprocess structure is processimagefilename
}
return stringname;
}

VOID Mycreateprocessnotifyex
(
__inout peprocess Process,
__in HANDLE ProcessId,
__in_opt pps_create_ Notify_info createinfo
)
{

char v1[16]={0};
if (createinfo!=null)//Process creation event
{
Dbgprint ("[Flame See Process in Creation (x64)][%ld]%s Create process:%wz",
Createinfo-> Parentprocessid,
Getprocessnamebyprocessid (createinfo->parentprocessid),
Createinfo->imagefilename );
strcpy (V1,psgetprocessimagefilename (Process));
if (!_stricmp (v1, "calc.exe"))
{
Dbgprint ("Disable the creation of the calculator process! ");
createinfo->creationstatus=status_unsuccessful;//Forbidden to create process
}
}
Else
{
Dbgprint ("[ Flame See process exited at exit (x64)] process:%s ", Psgetprocessimagefilename (process));
}
}

VOID mycreatethreadnotify
(
In HANDLE ProcessId,
In HANDLE ThreadId,
In BOOLEAN Create
)
{
if (Create)
{
Dbgprint ("[Flame See Thread Creation (x64)] thread created!" Pid=%ld; Tid=%ld ", ProcessId, ThreadId);
}
Else
{
Dbgprint ("[Flame sees thread exiting (x64)] thread quits!" Pid=%ld; Tid=%ld ", ProcessId, ThreadId);
}

}

ProcessDrv.cpp:

#include <ntddk.h>
#include "ProcessDrv.h"
#include "ProcessNotify.h"

VOID driverunload (Pdriver_object pdriverobj)
{
Unicode_string Strlink;
Rtlinitunicodestring (&strlink, link_name);
Iodeletesymboliclink (&strlink);
Iodeletedevice (Pdriverobj->deviceobject);
Remove Create Process/thread Notify
Pssetcreateprocessnotifyroutineex ((PCREATE_PROCESS_NOTIFY_ROUTINE_EX) mycreateprocessnotifyex,true);
Psremovecreatethreadnotifyroutine (mycreatethreadnotify);
}

NTSTATUS dispatchcreate (pdevice_object pdevobj, pirp pirp)
{
Pirp->iostatus.status = status_success;
pirp->iostatus.information = 0;
IoCompleteRequest (PIRP, io_no_increment);
return status_success;
}

NTSTATUS Dispatchclose (pdevice_object pdevobj, pirp pirp)
{
Pirp->iostatus.status = status_success;
pirp->iostatus.information = 0;
IoCompleteRequest (PIRP, io_no_increment);
return status_success;
}

NTSTATUS Dispatchioctl (pdevice_object pdevobj, pirp pirp)
{
NTSTATUS Status = status_invalid_device_request;
Pio_stack_location Pirpstack;
ULONG IoControlCode;
PVOID Iobuffer;
ULONG inputlength;
ULONG outputlength;
Pirpstack = Iogetcurrentirpstacklocation (PIRP);
IoControlCode = pirpstack->parameters.deviceiocontrol.iocontrolcode;
Iobuffer = pirp->associatedirp.systembuffer;
Inputlength = pirpstack->parameters.deviceiocontrol.inputbufferlength;
Outputlength = pirpstack->parameters.deviceiocontrol.outputbufferlength;
Switch (IoControlCode)
{

}
if (Status = = status_success)
Pirp->iostatus.information = Outputlength;
Else
pirp->iostatus.information = 0;
Pirp->iostatus.status = Status;
IoCompleteRequest (PIRP, io_no_increment);
return Status;
}

NTSTATUS DriverEntry (Pdriver_object pdriverobj, punicode_string pregistrystring)
{
NTSTATUS V1 = 0;
NTSTATUS Status = status_success;
Unicode_string linkname;
Unicode_string devicename;
Pdevice_object Devobject;
Pdriverobj->majorfunction[irp_mj_create] = dispatchcreate;
Pdriverobj->majorfunction[irp_mj_close] = Dispatchclose;
Pdriverobj->majorfunction[irp_mj_device_control] = Dispatchioctl;
Pdriverobj->driverunload = Driverunload;

Rtlinitunicodestring (&devicename, device_name);
Status = IoCreateDevice (pdriverobj, 0, &devicename, file_device_unknown, 0, FALSE, &devobject);
if (! Nt_success (Status))
{
return Status;
}

if (ioiswdmversionavailable (1, 0x10))//WDM YES OR NO
{
Rtlinitunicodestring (&linkname, link_global_name);
}
Else
{
Rtlinitunicodestring (&linkname, link_name);
}

Status = Iocreatesymboliclink (&linkname, &devicename);
if (! Nt_success (Status))
{
Iodeletedevice (Devobject);
return Status;
}

V1 =pssetcreateprocessnotifyroutineex ((PCREATE_PROCESS_NOTIFY_ROUTINE_EX) mycreateprocessnotifyex,false);
Dbgprint ("Pssetcreateprocessnotifyroutineex return:%x", V1);
V1 =pssetcreatethreadnotifyroutine (mycreatethreadnotify);
Dbgprint ("Pssetcreatethreadnotifyroutine return:%x", V1);
return status_success;
}

Process thread creation and exit monitoring (DbgView printing)