基於visual c++之windows核心編程程式碼分析（57）監控系統的每一個進程的建立

在監控病毒的時候，我們經常需要監控病毒建立的每一個進程，監控進程是如何?的呢，

我們來見程式碼分析，實現監控系統的每一個進程的建立，

 

 

#include "stdafx.h"#include "resource.h"#define MAX_LOADSTRING 100// 全域變數：HINSTANCE hInst;  // 當前執行個體TCHAR szTitle[MAX_LOADSTRING];// 標題文本TCHAR szWindowClass[MAX_LOADSTRING];// 標題文本// 包含的函數的聲明ATOMMyRegisterClass(HINSTANCE hInstance);BOOLInitInstance(HINSTANCE, int);LRESULT CALLBACKWndProc(HWND, UINT, WPARAM, LPARAM);LRESULT CALLBACKAbout(HWND, UINT, WPARAM, LPARAM);/*載入驅動*/void setup(){char namebuff[256]; //擷取.sys檔案所在的路徑GetModuleFileName(0,namebuff,256);DWORD  a=strlen(namebuff);  while(1)  {  if(namebuff[a]=='\\')break;  a--;  }  a++;  strcpy(&namebuff[a], "protector.sys");   //載入驅動protector.sysSC_HANDLE man=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS);SC_HANDLE t=CreateService(man,"protectorservice","protectorservice",SERVICE_START|SERVICE_STOP,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,namebuff,0,0,0,0,0);StartService(t,0,0);CloseServiceHandle(t);}/*卸載驅動*/void cleanup(){SC_HANDLE man = OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS);SERVICE_STATUS stat;SC_HANDLE t = OpenService(man,"protectorservice",SERVICE_ALL_ACCESS);ControlService(t,SERVICE_CONTROL_STOP,&stat);   DeleteService(t);}HANDLE device;char outputbuff[256]; char * strings[256]; DWORD stringcount;/************************************************************************//* 建立一個線程，每隔10毫秒測試一下通訊緩衝區.如果發現驅動已經發送請求到緩衝區裡,它就檢查這個檔案的名字和路徑是否存在於機器上的"允許運行程式列表"中.如果尋找到了,它直接給一個OK的回應.否則,它彈出一個訊息框來詢問使用者是否允許運行這個可疑程式.如果得到的回覆是肯定的,那麼將添加這個可疑程式到"允許運行軟體列表"中.最後,我們把使用者的選擇寫進(通訊)緩衝區裡,即傳給驅動程式.因此,使用者得到了在自己機器上面進程建立的全部控制權*//************************************************************************/void thread(){DWORD a,x; char msgbuff[512];while(1){memmove(&a,&outputbuff[0],4);//如果緩衝區為空白，則休眠10ms，繼續檢查if(!a){Sleep(10);continue;}// 如果檔案的名字和路徑在機器的運行進程列表中，則發送一個OK的回應char*name=(char*)&outputbuff[8];for(x=0;x<stringcount;x++){if(!stricmp(name,strings[x])){a=1;goto skip;}}//詢問使用者，是否運行該程式運行 strcpy(msgbuff, "Do you want to run ");strcat(msgbuff,&outputbuff[8]);// 如果使用者同意，則添加該程式到信任清單裡if(IDYES==MessageBox(0, msgbuff,"WARNING",MB_YESNO|MB_ICONQUESTION|0x00200000L)){a=1; strings[stringcount]=_strdup(name);stringcount++;}else a=0;// 把使用者的選擇寫進通訊緩衝區，驅動將接收skip:memmove(&outputbuff[4],&a,4);//通知驅動繼續進行運行a=0;memmove(&outputbuff[0],&a,4);}}void go(){setup();DWORD controlbuff[64];DWORD dw;//建立處理的線程CreateThread(0,0,(LPTHREAD_START_ROUTINE)thread,0,0,&dw);//開啟裝置device=CreateFile("\\\\.\\PROTECTOR",GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_SYSTEM,0);//去的NtCreateSection的索引, 將它傳給驅動, 也將緩衝區的地址傳給驅動DWORD * addr=(DWORD *)(1+(DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtCreateSection"));ZeroMemory(outputbuff,256);controlbuff[0]=addr[0];controlbuff[1]=(DWORD)&outputbuff[0];DeviceIoControl(device,1000,controlbuff,256,controlbuff,256,&dw,0);}/************************************************************************//* 主程式入口                                                                     *//************************************************************************/int APIENTRY WinMain(HINSTANCE hInstance,                     HINSTANCE hPrevInstance,                     LPSTR     lpCmdLine,                     int       nCmdShow){ // TODO: Place code here.MSG msg;HACCEL hAccelTable;//初始化全域變數LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);LoadString(hInstance, IDC_PROTECTOR, szWindowClass, MAX_LOADSTRING);MyRegisterClass(hInstance);//應用程式初始化if (!InitInstance (hInstance, nCmdShow)) {return FALSE;}hAccelTable = LoadAccelerators(hInstance, (LPCTSTR)IDC_PROTECTOR);//主訊息迴圈while (GetMessage(&msg, NULL, 0, 0)) {if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) {TranslateMessage(&msg);DispatchMessage(&msg);}}return msg.wParam;}/************************************************************************//* 這個函數的主要作用是保證應用程式的表徵圖在win32系統中正常顯示                                                                 *//************************************************************************/ATOM MyRegisterClass(HINSTANCE hInstance){WNDCLASSEX wcex;wcex.cbSize = sizeof(WNDCLASSEX); wcex.style= CS_HREDRAW | CS_VREDRAW;wcex.lpfnWndProc= (WNDPROC)WndProc;wcex.cbClsExtra= 0;wcex.cbWndExtra= 0;wcex.hInstance= hInstance;wcex.hIcon= LoadIcon(hInstance, (LPCTSTR)IDI_PROTECTOR);wcex.hCursor= LoadCursor(NULL, IDC_ARROW);wcex.hbrBackground= (HBRUSH)(COLOR_WINDOW+1);wcex.lpszMenuName= (LPCSTR)IDC_PROTECTOR;wcex.lpszClassName= szWindowClass;wcex.hIconSm= LoadIcon(wcex.hInstance, (LPCTSTR)IDI_SMALL);return RegisterClassEx(&wcex);}/************************************************************************//* 儲存執行個體控制代碼並建立主視窗在這個函數中，將執行個體控制代碼儲存在一個全域變數中，並建立和顯示主視窗                                                                     *//************************************************************************/BOOL InitInstance(HINSTANCE hInstance, int nCmdShow){   HWND hWnd;   hInst = hInstance; //將執行個體控制代碼儲存在全域變數中   hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,      CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);   if (!hWnd)   {      return FALSE;   }   ShowWindow(hWnd, nCmdShow);   UpdateWindow(hWnd);   go();   return TRUE;}/************************************************************************//* 視窗處理過程函數WM_COMMAND--處理應用程式的功能表項目WM_PAINT--繪製主視窗WM_DESTROY--發送一個退出訊息並返回                                                                     *//************************************************************************/LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam){int wmId, wmEvent;PAINTSTRUCT ps;HDC hdc;TCHAR szHello[MAX_LOADSTRING];LoadString(hInst, IDS_HELLO, szHello, MAX_LOADSTRING);switch (message) {case WM_COMMAND:wmId    = LOWORD(wParam); wmEvent = HIWORD(wParam); // 解析功能表項目:switch (wmId){case IDM_ABOUT:   DialogBox(hInst, (LPCTSTR)IDD_ABOUTBOX, hWnd, (DLGPROC)About);   break;case IDM_EXIT:  DestroyWindow(hWnd);   break;default:   return DefWindowProc(hWnd, message, wParam, lParam);}break;break;case WM_DESTROY: CloseHandle(device);  cleanup();PostQuitMessage(0);break;default:return DefWindowProc(hWnd, message, wParam, lParam);   }   return 0;}// about提示框的訊息控制代碼LRESULT CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam){switch (message){case WM_INITDIALOG:return TRUE;case WM_COMMAND:if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL) {EndDialog(hDlg, LOWORD(wParam));return TRUE;}break;}    return FALSE;}