我初学驱动,想做一个监控进程,线程,驱动的程序。就是一旦有进程或者线程创建的时候就弹出对话框,询问用户是否运行,允许的话就放行,不允许的话就返回一个拒绝访问。进程和驱动倒是没什么问题,可是 线程 监控时候,桌面总是有时卡死,因此我判断下要创建的线程是否是 explorer 的,结果还是一样。贴一下代码,请大家指教下
NTSTATUS FakedZwCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended
)
{
LPSTR pszParentPrcName;
LPSTR pszDestPrcName;
ULONG ulAgree;
PEPROCESS EProcess;
NTSTATUS status;
if(!g_RealZwCreateThread)
{
ThreadHandle = NULL;
return STATUS_ACCESS_DENIED;
}
if (!MmIsAddressValid((PVOID)g_UserBuffer) || !g_pEventWaitInApp || !g_pEventWaitInDriver)
{
return g_RealZwCreateThread(ThreadHandle,
DesiredAccess,
ObjectAttributes,
ProcessHandle,
ClientId,
ThreadContext,
InitialTeb,
CreateSuspended);
}
pszParentPrcName = (LPSTR)PsGetProcessImageFileName(PsGetCurrentProcess());
status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode,
(PVOID*)&EProcess,
NULL);
if(status == STATUS_SUCCESS)
pszDestPrcName = (LPSTR)PsGetProcessImageFileName(EProcess);
else
pszDestPrcName = "";
//是explorer.exe 创建自己的线程就直接返回
if(strcmp(pszParentPrcName, "explorer.exe") == 0 && strcmp(pszParentPrcName, pszDestPrcName) == 0)
{
return g_RealZwCreateThread(ThreadHandle,
DesiredAccess,
ObjectAttributes,
ProcessHandle,
ClientId,
ThreadContext,
InitialTeb,
CreateSuspended);
}
//等待同步事件,直到同步事件信号
KeWaitForSingleObject(&g_event, Executive, KernelMode, 0, 0);
RtlStringCbPrintfA((LPSTR)g_UserBuffer, 1024, "%s 试图向目标进程 %s 创建启动地址为 %p 的线程",
pszParentPrcName,
pszDestPrcName,
ThreadContext->Eax);
//设置应用程序事件为有信心,让等待的应用程序恢复运行
KeSetEvent(g_pEventWaitInApp, 0, 0);
//等待驱动事件,让应用程序通知驱动运行
KeWaitForSingleObject(g_pEventWaitInDriver, Executive, KernelMode, 0, 0);
ulAgree = *(PULONG)g_UserBuffer;
//设置同步事件为有信号
KeSetEvent(&g_event, 0, 0);
if(ulAgree)
{
return g_RealZwCreateThread(ThreadHandle,
DesiredAccess,
ObjectAttributes,
ProcessHandle,
ClientId,
ThreadContext,
InitialTeb,
CreateSuspended);
}
else
{
ThreadHandle = NULL;
return STATUS_ACCESS_DENIED;
}
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
