在監控病毒的時候,我們經常需要監控病毒建立的每一個進程,監控進程是如何?的呢,
我們來見程式碼分析,實現監控系統的每一個進程的建立,
#include "stdafx.h"#include "resource.h"#define MAX_LOADSTRING 100// 全域變數:HINSTANCE hInst; // 當前執行個體TCHAR szTitle[MAX_LOADSTRING];// 標題文本TCHAR szWindowClass[MAX_LOADSTRING];// 標題文本// 包含的函數的聲明ATOMMyRegisterClass(HINSTANCE hInstance);BOOLInitInstance(HINSTANCE, int);LRESULT CALLBACKWndProc(HWND, UINT, WPARAM, LPARAM);LRESULT CALLBACKAbout(HWND, UINT, WPARAM, LPARAM);/*載入驅動*/void setup(){char namebuff[256]; //擷取.sys檔案所在的路徑GetModuleFileName(0,namebuff,256);DWORD a=strlen(namebuff); while(1) { if(namebuff[a]=='\\')break; a--; } a++; strcpy(&namebuff[a], "protector.sys"); //載入驅動protector.sysSC_HANDLE man=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS);SC_HANDLE t=CreateService(man,"protectorservice","protectorservice",SERVICE_START|SERVICE_STOP,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,namebuff,0,0,0,0,0);StartService(t,0,0);CloseServiceHandle(t);}/*卸載驅動*/void cleanup(){SC_HANDLE man = OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS);SERVICE_STATUS stat;SC_HANDLE t = OpenService(man,"protectorservice",SERVICE_ALL_ACCESS);ControlService(t,SERVICE_CONTROL_STOP,&stat); DeleteService(t);}HANDLE device;char outputbuff[256]; char * strings[256]; DWORD stringcount;/************************************************************************//* 建立一個線程,每隔10毫秒測試一下通訊緩衝區.如果發現驅動已經發送請求到緩衝區裡,它就檢查這個檔案的名字和路徑是否存在於機器上的"允許運行程式列表"中.如果尋找到了,它直接給一個OK的回應.否則,它彈出一個訊息框來詢問使用者是否允許運行這個可疑程式.如果得到的回覆是肯定的,那麼將添加這個可疑程式到"允許運行軟體列表"中.最後,我們把使用者的選擇寫進(通訊)緩衝區裡,即傳給驅動程式.因此,使用者得到了在自己機器上面進程建立的全部控制權*//************************************************************************/void thread(){DWORD a,x; char msgbuff[512];while(1){memmove(&a,&outputbuff[0],4);//如果緩衝區為空白,則休眠10ms,繼續檢查if(!a){Sleep(10);continue;}// 如果檔案的名字和路徑在機器的運行進程列表中,則發送一個OK的回應char*name=(char*)&outputbuff[8];for(x=0;x<stringcount;x++){if(!stricmp(name,strings[x])){a=1;goto skip;}}//詢問使用者,是否運行該程式運行 strcpy(msgbuff, "Do you want to run ");strcat(msgbuff,&outputbuff[8]);// 如果使用者同意,則添加該程式到信任清單裡if(IDYES==MessageBox(0, msgbuff,"WARNING",MB_YESNO|MB_ICONQUESTION|0x00200000L)){a=1; strings[stringcount]=_strdup(name);stringcount++;}else a=0;// 把使用者的選擇寫進通訊緩衝區,驅動將接收skip:memmove(&outputbuff[4],&a,4);//通知驅動繼續進行運行a=0;memmove(&outputbuff[0],&a,4);}}void go(){setup();DWORD controlbuff[64];DWORD dw;//建立處理的線程CreateThread(0,0,(LPTHREAD_START_ROUTINE)thread,0,0,&dw);//開啟裝置device=CreateFile("\\\\.\\PROTECTOR",GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_SYSTEM,0);//去的NtCreateSection的索引, 將它傳給驅動, 也將緩衝區的地址傳給驅動DWORD * addr=(DWORD *)(1+(DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtCreateSection"));ZeroMemory(outputbuff,256);controlbuff[0]=addr[0];controlbuff[1]=(DWORD)&outputbuff[0];DeviceIoControl(device,1000,controlbuff,256,controlbuff,256,&dw,0);}/************************************************************************//* 主程式入口 *//************************************************************************/int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here.MSG msg;HACCEL hAccelTable;//初始化全域變數LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);LoadString(hInstance, IDC_PROTECTOR, szWindowClass, MAX_LOADSTRING);MyRegisterClass(hInstance);//應用程式初始化if (!InitInstance (hInstance, nCmdShow)) {return FALSE;}hAccelTable = LoadAccelerators(hInstance, (LPCTSTR)IDC_PROTECTOR);//主訊息迴圈while (GetMessage(&msg, NULL, 0, 0)) {if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) {TranslateMessage(&msg);DispatchMessage(&msg);}}return msg.wParam;}/************************************************************************//* 這個函數的主要作用是保證應用程式的表徵圖在win32系統中正常顯示 *//************************************************************************/ATOM MyRegisterClass(HINSTANCE hInstance){WNDCLASSEX wcex;wcex.cbSize = sizeof(WNDCLASSEX); wcex.style= CS_HREDRAW | CS_VREDRAW;wcex.lpfnWndProc= (WNDPROC)WndProc;wcex.cbClsExtra= 0;wcex.cbWndExtra= 0;wcex.hInstance= hInstance;wcex.hIcon= LoadIcon(hInstance, (LPCTSTR)IDI_PROTECTOR);wcex.hCursor= LoadCursor(NULL, IDC_ARROW);wcex.hbrBackground= (HBRUSH)(COLOR_WINDOW+1);wcex.lpszMenuName= (LPCSTR)IDC_PROTECTOR;wcex.lpszClassName= szWindowClass;wcex.hIconSm= LoadIcon(wcex.hInstance, (LPCTSTR)IDI_SMALL);return RegisterClassEx(&wcex);}/************************************************************************//* 儲存執行個體控制代碼並建立主視窗在這個函數中,將執行個體控制代碼儲存在一個全域變數中,並建立和顯示主視窗 *//************************************************************************/BOOL InitInstance(HINSTANCE hInstance, int nCmdShow){ HWND hWnd; hInst = hInstance; //將執行個體控制代碼儲存在全域變數中 hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL); if (!hWnd) { return FALSE; } ShowWindow(hWnd, nCmdShow); UpdateWindow(hWnd); go(); return TRUE;}/************************************************************************//* 視窗處理過程函數WM_COMMAND--處理應用程式的功能表項目WM_PAINT--繪製主視窗WM_DESTROY--發送一個退出訊息並返回 *//************************************************************************/LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam){int wmId, wmEvent;PAINTSTRUCT ps;HDC hdc;TCHAR szHello[MAX_LOADSTRING];LoadString(hInst, IDS_HELLO, szHello, MAX_LOADSTRING);switch (message) {case WM_COMMAND:wmId = LOWORD(wParam); wmEvent = HIWORD(wParam); // 解析功能表項目:switch (wmId){case IDM_ABOUT: DialogBox(hInst, (LPCTSTR)IDD_ABOUTBOX, hWnd, (DLGPROC)About); break;case IDM_EXIT: DestroyWindow(hWnd); break;default: return DefWindowProc(hWnd, message, wParam, lParam);}break;break;case WM_DESTROY: CloseHandle(device); cleanup();PostQuitMessage(0);break;default:return DefWindowProc(hWnd, message, wParam, lParam); } return 0;}// about提示框的訊息控制代碼LRESULT CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam){switch (message){case WM_INITDIALOG:return TRUE;case WM_COMMAND:if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL) {EndDialog(hDlg, LOWORD(wParam));return TRUE;}break;} return FALSE;}