DDK version of process/thread Monitor

Write process/thread Monitor

Author: sinister
Email: sinister@whitecell.org
Homepage: http://www.whitecell.org

(Describe it first. Many may ask how some process/thread monitoring tools are implemented.
I wrote it to give those friends a better understanding and save my mails. If you
If you are familiar with the NT driver, you may have mastered the method mentioned in this article and can skip it .)

Sometimes we want to dynamically monitor the creation and destruction of any process/thread in the system. To achieve
For this purpose, I have read the DDK manual and found the pssetcreateprocesspolicyroutine () provided by it (),
Pssetcreatethreadpolicyroutine (), and other functions can implement this function. These two functions can
Register a callbalck function with the system to monitor processes, threads, and other operations. The original function is as follows:

Ntstatus
Pssetcreateprocesspolicyroutine (
In pcreate_process_policy_routine policyroutine,
In Boolean remove
);

Void
(* Pcreate_process_policy_routine )(
In handle parentid,
In handle processid,
In Boolean create
);

Ntstatus
Pssetcreatethreadpolicyroutine (
In pcreate_thread_policy_routine policyroutine
);

Void
(* Pcreate_thread_policy_routine )(
In handle processid,
In handle threadid,
In Boolean create
);

The original form shows that the callback function only provides the process ID/thread ID. Not provided
Process name. Then we need to further obtain the process name through the process ID. This requires an undisclosed
Function pslookupprocessbyprocessid (). The original function is as follows:

Ntstatus pslookupprocpolicyprocessid (
In ulong ulprocid,
Out peprocess * peprocess
);

The eprocess structure of function output is also an undisclosed kernel process structure. Many people call it kpeb.
The offset 0x1fc in the eprocess structure points to the offset of the current process name. (Although this structure can be found in
Directly used in the driver. However, its structure has not been published. Many experts on the Internet have already provided its structure. Yes
If you are interested, you can search by yourself or get it from ifs DDK. The structure is too long, so you will not post it here)
With this structure, we can get the process name. The NT System also provides a function for dynamic monitoring.
Load the image according to the process. This function can obtain the DLL name and full path called when the process is planted.
Some image information. It provides us with more detailed process loading information and better help.

The original function is as follows:

Ntstatus
Pssetloadimagenotifyroutine (
In pload_image_policy_routine policyroutine
);

Void
(* Pload_image_policy_routine )(
In punicode_string fullimagename,
In handle processid, // Where image is mapped
In pimage_info imageinfo
);

Typedef struct _ image_info {
Union {
Ulong properties;
Struct {
Ulong imageaddressingmode: 8; // Code addressing mode
Ulong systemmodeimage: 1; // system mode image
Ulong imagemappedtoallpids: 1; // mapped in all processes
Ulong Reserved: 22;
};
};
Pvoid imagebase;
Ulong imageselector;
Ulong imagesize;
Ulong imagesectionnumber;
} Image_info, * pimage_info;

With the functions and structures provided above, we can implement a process/thread monitor. The following section
The Code demonstrates how to implement this function.

/*************************************** **************************
File Name: wssprocmon. c
Description: Process/thread monitor.
By sinister
Last modification date: 2002-11-02

**************************************** *************************/

# Include "ntddk. H"
# Include "string. H"

# Define processnameoffset 0x1fc

Static ntstatus mydrvdispatch (in pdevice_object deviceobject, in pirp );
Ntstatus pslookupprocessbyprocessid (in ulong ulprocid, out peprocess * peprocess );
Void processcreatemon (in handle hparentid, in handle PID, in Boolean bcreate );
Void threadcreatemon (in handle PID, in handle tid, in Boolean bcreate );
Void imagecreatemon (in punicode_string fullimagename, in handle processid, in pimage_info imageinfo );

// Driver entry
Ntstatus DriverEntry (in pdriver_object driverobject, in punicode_string registrypath)
{

Unicode_string namestring, linkstring;
Pdevice_object deviceobject;
Ntstatus status;
Int I;

// Create a device
Rtlinitunicodestring (& namestring, l "// device // wssprocmon ");

Status = iocreatedevice (driverobject,
0,
& Namestring,
File_device_unknown,
0,
True,
& Deviceobject
);

If (! Nt_success (Status ))
Return status;

Rtlinitunicodestring (& linkstring, l "// dosdevices // wssprocmon ");

Status = iocreatesymboliclink (& linkstring, & namestring );

If (! Nt_success (Status ))
{
Iodeletedevice (driverobject-> deviceobject );
Return status;
}

Status = pssetloadimagenotifyroutine (imagecreatemon );
If (! Nt_success (Status ))
{
Dbuplint ("pssetloadimagenotifyroutine ()/n ");
Return status;
}

Status = pssetcreatethreadpolicyroutine (threadcreatemon );
If (! Nt_success (Status ))
{
Dbuplint ("pssetcreatethreadpolicyroutine ()/n ");
Return status;
}

Status = pssetcreateprocesspolicyroutine (processcreatemon, false );
If (! Nt_success (Status ))
{
Dbuplint ("pssetcreateprocesspolicyroutine ()/n ");
Return status;
}

For (I = 0; I <irp_mj_maximum_function; I ++ ){

Driverobject-> majorfunction [I] = mydrvdispatch;
}

Return STATUS_SUCCESS;

}

// Process device object operations

Static ntstatus mydrvdispatch (in pdevice_object deviceobject, in pirp IRP)
{
IRP-> iostatus. Status = STATUS_SUCCESS;
IRP-> iostatus. Information = 0l;
Iocompleterequest (IRP, 0 );
Return IRP-> iostatus. status;

}

Void processcreatemon (in handle hparentid, in handle PID, in Boolean bcreate)
{

Peprocess eprocess;
Ulong ulcurrentprocessid;
Lptstr lpcurproc;
Ntstatus status;

Status = pslookupprocessbyprocessid (ulong) PID, & eprocess );
If (! Nt_success (Status ))
{
Dbuplint ("pslookupprocessbyprocessid ()/n ");
Return;
}

If (bcreate)
{
Lpcurproc = (lptstr) eprocess;
Lpcurproc = lpcurproc + processnameoffset;

Dbuplint ("create process = process name: % s, process parentid: % d, process ID: % d, process address % x:/N ",
Lpcurproc,
Hparentid,
PID,
Eprocess );
}

Else
{

Dbuplint ("terminated = process ID: % d/N", pid );

}

}

Void threadcreatemon (in handle PID, in handle tid, in Boolean bcreate)
{

Peprocess eprocess;
Ulong ulcurrentprocessid;
Lptstr lpcurproc;
Ntstatus status;

Status = pslookupprocessbyprocessid (ulong) PID, & eprocess );
If (! Nt_success (Status ))
{
Dbuplint ("pslookupprocessbyprocessid ()/n ");
Return;
}

If (bcreate)
{
Lpcurproc = (lptstr) eprocess;
Lpcurproc = lpcurproc + processnameoffset;

Dbuplint ("create thread = process name: % s process ID: % d, thread ID: % d/N", lpcurproc, PID, tid );

}

Else
{

Dbuplint ("terminated = thread ID: % d/N", tid );

}

}

Void imagecreatemon (in punicode_string fullimagename, in handle processid, in pimage_info imageinfo)
{
Dbuplint ("fullimagename: % s, process ID: % d/N", fullimagename-> buffer, processid );
Dbuplint ("imagebase: % x, imagesize: % d/N", imageinfo-> imagebase, imageinfo-> imagesize );

}