標籤:register for code available print reserve pch size sim
以下內容參考駭客防線2012合訂本354頁
MSDN 原話:
The PsSetCreateProcessNotifyRoutineEx routine registers or removes a callback routine that notifies the caller when a process is created or exits.
NTSTATUS
PsSetCreateProcessNotifyRoutineEx(
IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
IN BOOLEAN Remove
);
可以通過這個函數註冊一個回呼函數監控進程建立. 比hook方便很多.
對於CreateProcessNotifyEx:
VOID CreateProcessNotifyEx( __inout PEPROCESS Process, __in HANDLE ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo );
其中CreateInfo是
If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.
空的時候表示進程退出, 非空時表示進程建立.並且裡面:
typedef struct _PS_CREATE_NOTIFY_INFO { __in SIZE_T Size; union { __in ULONG Flags; struct { __in ULONG FileOpenNameAvailable : 1; __in ULONG Reserved : 31; }; }; __in HANDLE ParentProcessId; //建立者pid __in CLIENT_ID CreatingThreadId; __inout struct _FILE_OBJECT *FileObject; __in PCUNICODE_STRING ImageFileName;//被建立進程完整路徑 __in_opt PCUNICODE_STRING CommandLine; __inout NTSTATUS CreationStatus; //修改為錯誤的status禁止建立進程} PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO;
測試結果:
附上大佬的代碼 (自己加了一些注釋):
//下面2個函式宣告後就能用NTKERNELAPI PCHAR PsGetProcessImageFileName(PEPROCESS Process);NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);PCHAR GetProcessNameByProcessId(HANDLE ProcessId){ NTSTATUS st = STATUS_UNSUCCESSFUL; PEPROCESS ProcessObj = NULL; PCHAR string = NULL; st = PsLookupProcessByProcessId(ProcessId, &ProcessObj); if (NT_SUCCESS(st)) { string = PsGetProcessImageFileName(ProcessObj); ObfDereferenceObject(ProcessObj); } return string;}VOIDNotifyCreateProcess( __inout PEPROCESS Process,//如果是建立(退出),則是被建立(退出)進程的exe名(不包括完整路徑) __in HANDLE ProcessId,//如果是建立(退出)進程,則是被建立(退出)進程的pid __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo//如果是建立進程,則裡麵包含被建立進程完整路徑名){ if (CreateInfo) { // DbgPrint("param ProcessId is %d\n", ProcessId); //被建立進程id // DbgPrint("param Process is %s\n", PsGetProcessImageFileName(Process)); DbgPrint("%s of who the pid is %d create process %wZ\n", GetProcessNameByProcessId(CreateInfo->ParentProcessId), CreateInfo->ParentProcessId, CreateInfo->ImageFileName); if (_stricmp("calc.exe", PsGetProcessImageFileName(Process)) == 0) { DbgPrint("forbidding start calc.exe!\n"); CreateInfo->CreationStatus = STATUS_ACCESS_DENIED; } } else { DbgPrint("process %s exit\n", PsGetProcessImageFileName(Process)); }}
windows 64位 系統非HOOK方式監控進程建立