windows 64位 系統非HOOK方式監控進程建立

標籤：register   for   code   available   print   reserve   pch   size   sim   

以下內容參考駭客防線2012合訂本354頁

 

MSDN 原話:

The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.

NTSTATUS
  PsSetCreateProcessNotifyRoutineEx(
    IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX  NotifyRoutine,
    IN BOOLEAN  Remove
    );

可以通過這個函數註冊一個回呼函數監控進程建立. 比hook方便很多.

對於CreateProcessNotifyEx:

VOID  CreateProcessNotifyEx(    __inout PEPROCESS  Process,    __in HANDLE  ProcessId,    __in_opt PPS_CREATE_NOTIFY_INFO  CreateInfo    );

其中CreateInfo是

If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting. 

空的時候表示進程退出, 非空時表示進程建立.並且裡面:

typedef struct _PS_CREATE_NOTIFY_INFO {  __in SIZE_T  Size;  union {    __in ULONG  Flags;    struct {      __in ULONG  FileOpenNameAvailable : 1;      __in ULONG  Reserved : 31;    };  };  __in HANDLE  ParentProcessId;  //建立者pid  __in CLIENT_ID  CreatingThreadId;  __inout struct _FILE_OBJECT  *FileObject;  __in PCUNICODE_STRING  ImageFileName;//被建立進程完整路徑  __in_opt PCUNICODE_STRING  CommandLine;  __inout NTSTATUS  CreationStatus;  //修改為錯誤的status禁止建立進程} PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO;

 

測試結果:

 

 附上大佬的代碼 (自己加了一些注釋):

//下面2個函式宣告後就能用NTKERNELAPI PCHAR PsGetProcessImageFileName(PEPROCESS Process);NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);PCHAR GetProcessNameByProcessId(HANDLE ProcessId){    NTSTATUS st = STATUS_UNSUCCESSFUL;    PEPROCESS ProcessObj = NULL;    PCHAR string = NULL;    st = PsLookupProcessByProcessId(ProcessId, &ProcessObj);    if (NT_SUCCESS(st))    {        string = PsGetProcessImageFileName(ProcessObj);        ObfDereferenceObject(ProcessObj);    }    return string;}VOIDNotifyCreateProcess(    __inout PEPROCESS Process,//如果是建立(退出),則是被建立(退出)進程的exe名(不包括完整路徑)    __in HANDLE ProcessId,//如果是建立(退出)進程,則是被建立(退出)進程的pid    __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo//如果是建立進程,則裡麵包含被建立進程完整路徑名){    if (CreateInfo)    {    //    DbgPrint("param ProcessId is %d\n", ProcessId); //被建立進程id    //    DbgPrint("param Process is %s\n", PsGetProcessImageFileName(Process));        DbgPrint("%s of who the pid is %d create process %wZ\n",            GetProcessNameByProcessId(CreateInfo->ParentProcessId),            CreateInfo->ParentProcessId,            CreateInfo->ImageFileName);        if (_stricmp("calc.exe", PsGetProcessImageFileName(Process)) == 0)        {            DbgPrint("forbidding start calc.exe!\n");            CreateInfo->CreationStatus = STATUS_ACCESS_DENIED;        }    }    else    {        DbgPrint("process %s exit\n", PsGetProcessImageFileName(Process));    }}

 

windows 64位 系統非HOOK方式監控進程建立