-
-
[求助]驱动中进程监控问题
-
发表于: 2014-3-15 22:45
-
我想问的是为什么当应用收到进程打开信息时候:如果我选择“是”层序能迅速的执行!
当我选择“否的时候。系统就会卡着一段很长的时间!这到底是为什么?
下面是我自己的HOOK 函数代码:
驱动中DeviceIoCtrl中几处关键代码情况:
下面是我应用程序中的代码:
当我选择“否的时候。系统就会卡着一段很长的时间!这到底是为什么?
下面是我自己的HOOK 函数代码:
//自定义NtCreateProcessEx
NTSTATUS MyNtCreateProcessEx(__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ParentProcess,
__in ULONG Flags,
__in_opt HANDLE SectionHandle,
__in_opt HANDLE DebugPort,
__in_opt HANDLE ExceptionPort,
__in ULONG JobMemberLevel)
{
DbgPrint("FUCK!!!!!\r\n");
DbgPrint("Entry MyNtCreateProcessEx Successful!\r\n");
CHAR szFullPath[MAX_PATH] = {0};
GetFullName(SectionHandle, szFullPath); //获得全路径名
DbgPrint("FileFullPath: %s\r\n", szFullPath);
PPROCESSCTRLTABLEINFOLIST pPrcessInfoList = (PPROCESSCTRLTABLEINFOLIST)ExAllocatePool(NonPagedPool, sizeof(PROCESSCTRLTABLEINFOLIST));
SetFullPathToProcessInfo(szFullPath, &pPrcessInfoList->ProcessCtrlTableInfo); //获得进程PROCESSCTRLTABLEINFO信息
if (IsListEmpty(&g_List))
{
InsertTailList(&g_List, &pPrcessInfoList->ListEntry);
KeSetEvent(&g_KernEvent, IO_NO_INCREMENT, FALSE);
}
else
{
InsertTailList(&g_List, &pPrcessInfoList->ListEntry);
}
KeWaitForSingleObject(&g_UserEnent, Executive, KernelMode, FALSE, NULL);
if (g_iIsCreateProcess)
{
g_iIsCreateProcess = 0; //再次初始化 参数
return g_pfnRealNtCreateProcessEx(ProcessHandle, DesiredAccess,
ObjectAttributes, ParentProcess, Flags,
SectionHandle, DebugPort, ExceptionPort,
JobMemberLevel);
}
else
{
//使返回句柄为空,这样就无法创建进程
ProcessHandle = NULL;
return STATUS_ACCESS_DENIED;
}
}驱动中DeviceIoCtrl中几处关键代码情况:
case IOCTRL_GET_PROCESS:
{
// 传送信息到应用程序
PLIST_ENTRY pList = NULL;
PPROCESSCTRLTABLEINFOLIST pStruct = NULL;
pIrp->IoStatus.Information = 0;
if (IsListEmpty(&g_List))
{
KeWaitForSingleObject(&g_KernEvent, Executive, KernelMode, FALSE, NULL);
}
pList = RemoveHeadList(&g_List);
PrintfList();
pStruct = CONTAINING_RECORD(pList, PROCESSCTRLTABLEINFOLIST, ListEntry);
RtlCopyMemory(pIoBuff, &pStruct->ProcessCtrlTableInfo, ulOutSize);
DbgPrint("[DeviceIoCtrl] IOCTRL_GET_PROCESS %s\r\n", pStruct->ProcessCtrlTableInfo.ustrFilePath);
pIrp->IoStatus.Information = ulOutSize;
status = STATUS_SUCCESS;
DbgPrint("[DeviceIoCtrl] IOCTRL_GET_PRICESS End\r\n");
}
case IOCTRL_CANRUN:
{
g_iIsCreateProcess = *(int *)pIoBuff;
pIrp->IoStatus.Information = 0;
status = STATUS_SUCCESS;
}
case IOCTRL_SET_USER_EVENT:
{
KeSetEvent(&g_UserEnent, IO_NO_INCREMENT, FALSE);
}下面是我应用程序中的代码:
UINT ListenerOfNtCreateProcess(LPVOID pParam)
{
DWORD dwRet;
int nCanRun = 0;
//打开驱动设备
HANDLE hDevice; //打开设备的句柄
hDevice = CreateFile("\\\\.\\ProcessCtrlKrn",
GENERIC_ALL,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
AfxMessageBox("打开驱动失败!");
return 0;
}
while(1)
{
/*
if (!g_bHook)
{
Sleep(10);
continue;
}*/
Sleep(10);
PROCESSCTRLTABLEINFO ProcessInfo = {0};
//IR派遣事件没完成之前 等待其完成
DeviceIoControl(hDevice, IOCTRL_GET_PROCESS, NULL, 0, &ProcessInfo,
sizeof(PROCESSCTRLTABLEINFO), &dwRet, NULL);
if (0 == strlen(ProcessInfo.ustrFilePath))
{
continue;
}
//判断是否在白名单中
if (IsInWhiteList(&theApp.m_listProcessInfo, &ProcessInfo))
{
nCanRun = 1;
//传递nCanRun 为真进入驱动中 驱动中根据nCanRun 的值判断是否允许程序执行
DeviceIoControl(hDevice, IOCTRL_CANRUN, &nCanRun,
sizeof(int), NULL, 0, &dwRet, NULL);
//触发MyCreateProcessEx中的同步事件
DeviceIoControl(hDevice, IOCTRL_SET_USER_EVENT, NULL, 0, NULL,
0, &dwRet, NULL);
}
else
{
char szText[1024*2] = {0};
strcat_s(szText, "未知程序:\r\n");
strcat_s(szText, ProcessInfo.ustrFileName);
strcat_s(szText, "\r\n不在白名单中!是否加入白名单?");
if(IDYES == MessageBox(NULL, szText, "提示", MB_YESNO))
{
AfxBeginThread(AddInfo, &ProcessInfo);
nCanRun = 1; //设置允许执行
//传递nCanRun 为真进入驱动中 驱动中根据nCanRun 的值判断是否允许程序执行
DeviceIoControl(hDevice, IOCTRL_CANRUN, &nCanRun,
sizeof(int), NULL, 0, &dwRet, NULL);
//触发MyCreateProcessEx中的同步事件
DeviceIoControl(hDevice, IOCTRL_SET_USER_EVENT, NULL, 0, NULL,
0, &dwRet, NULL);
}
else
{
nCanRun = 0; //设置阻止执行
//传递nCanRun 为真进入驱动中 驱动中根据nCanRun 的值判断是否允许程序执行
DeviceIoControl(hDevice, IOCTRL_CANRUN, &nCanRun,
sizeof(int), NULL, 0, &dwRet, NULL);
//触发MyCreateProcessEx中的同步事件
DeviceIoControl(hDevice, IOCTRL_SET_USER_EVENT, NULL, 0, NULL,
0, &dwRet, NULL);
}
}
}
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
