国产一级一区二区_segui88久久综合9999_97久久夜色精品国产_欧美色网一区二区

掃一掃
關(guān)注微信公眾號

黑客技巧之安全穩(wěn)定的實現(xiàn)進線程監(jiān)控
2007-01-29   

用PsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutine來進行進程線程監(jiān)控我想大家已經(jīng)都非常熟練了。前一段時間看到網(wǎng)上有人在研究監(jiān)視遠線程的文章,比較有意思。就寫代碼玩一玩。這之中就出現(xiàn)了一些問題,比方說直接用sinister的代碼的話,是不能動態(tài)卸載的,因為他在安裝了進線程監(jiān)視函數(shù)后沒有進行清除動作,造成在動態(tài)卸載時藍屏。

BUGCHECK為0x000000ce,錯誤碼為: 

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

很顯然,在驅(qū)動退出后,一些進線程操作仍然在訪問原來的地址,造成出錯。在XP后,微軟給出了一個函數(shù)PsRemoveCreateThreadNotifyRoutine用來清除線程監(jiān)視函數(shù)(清除進程監(jiān)視的就是PsSetCreateProcessNotifyRoutine)。我一直奇怪ICESWORD在Windows2000中是怎么做到進線程監(jiān)視的。后來才發(fā)現(xiàn),在運行icesword后釋放出一個detport.sys文件,然后一直在系統(tǒng)中存在著沒有卸載掉。只是把它隱藏了而已。這不是個好消息,難道我為了測試一個驅(qū)動,測試一次就得重啟一次嗎?呵呵,肯定不是啊,所以想辦法搞定它。

我們來看一下進線程監(jiān)視在底層是如何實現(xiàn)的,在Windows2000源代碼中先找到創(chuàng)建線程的函數(shù)實現(xiàn): 

//////////////////////////////////////////////////////////////////////////////////////////
//
//   \win2k\private\ntos\ps\create.h
//
//////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS
PspCreateThread(
    ...
    ...
    )
{
    ...
        if (PspCreateProcessNotifyRoutineCount != 0) {        //首先調(diào)用進程監(jiān)控函數(shù)
            ULONG i;
            for (i=0; iInheritedFromUniqueProcessId,
                                                         Process->UniqueProcessId,
                                                         TRUE
                                                       );
                    }
                }
            }

        }
    ...
    ...
    if (PspCreateThreadNotifyRoutineCount != 0) {
        ULONG i;

        for (i=0; iCid.UniqueProcess,
                                                    Thread->Cid.UniqueThread,
                                                    TRUE
                                                   );
            }
        }
    }
    ...
    ...
}

從上面可以看到,在每創(chuàng)建一個線程后會調(diào)用PspCreateProcessNotifyRoutine[i]地址指向的函數(shù)。而PsSetCreateThreadNotifyRoutine的作用就是將PspCreateThreadNotifyRoutine[i]數(shù)組設(shè)置值,該值就是監(jiān)視函數(shù)的地址。 

NTSTATUS
PsSetCreateThreadNotifyRoutine(
    IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
    )
{
    ULONG i;
    NTSTATUS Status;

    Status = STATUS_INSUFFICIENT_RESOURCES;
    for (i = 0; i < PSP_MAX_CREATE_THREAD_NOTIFY; i += 1) {
        if (PspCreateThreadNotifyRoutine[i] == NULL) {
            PspCreateThreadNotifyRoutine[i] = NotifyRoutine;
            PspCreateThreadNotifyRoutineCount += 1;
            Status = STATUS_SUCCESS;
            break;
        }
    }

    return Status;
}

上面的一些結(jié)構(gòu)如下: 

//////////////////////////////////////////////////////////////////////////////////////////
//
//   \win2k\private\ntos\ps\psp.h
//
//////////////////////////////////////////////////////////////////////////////////////////
#define PSP_MAX_CREATE_THREAD_NOTIFY 8        //最大監(jiān)視數(shù)目

ULONG PspCreateThreadNotifyRoutineCount;    //用來記數(shù)
PCREATE_THREAD_NOTIFY_ROUTINE PspCreateThreadNotifyRoutine[ 
PSP_MAX_CREATE_THREAD_NOTIFY ];    //函數(shù)地址數(shù)組

而PCREATE_THREAD_NOTIFY_ROUTINE定義如下: 

typedef
VOID
(*PCREATE_THREAD_NOTIFY_ROUTINE)(
    IN HANDLE ProcessId,
    IN HANDLE ThreadId,
    IN BOOLEAN Create
    );

相應(yīng)的,進程的結(jié)構(gòu)也是一樣的。

通過上面,我們可以看到,只要我們找出該函數(shù)數(shù)組地址,在我們退出驅(qū)動時先將其全部清零,清零的大小為PSP_MAX_CREATE_THREAD_NOTIFY。

這樣的話下一次的進線程操作就不會調(diào)用這個函數(shù)指針了,也就讓系統(tǒng)回到正常。我們再通過PsSetCreateProcessNotifyRoutine來驗證一下: 

NTSTATUS
PsSetCreateProcessNotifyRoutine(
    IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
    IN BOOLEAN Remove
    )
{
    ULONG i;

    for (i=0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {
        if (Remove) {    
            if (PspCreateProcessNotifyRoutine[i] == NotifyRoutine) {    //清除時就是簡單的
賦植操作
                PspCreateProcessNotifyRoutine[i] = NULL;
                PspCreateProcessNotifyRoutineCount -= 1;        //將計數(shù)器減一
                return STATUS_SUCCESS;
            }
        } else {
            if (PspCreateProcessNotifyRoutine[i] == NULL) {        //設(shè)置時也是簡單的賦值操作
                PspCreateProcessNotifyRoutine[i] = NotifyRoutine;
                PspCreateProcessNotifyRoutineCount += 1;        //將計數(shù)器加一
                return STATUS_SUCCESS;
            }
        }
    }

    return Remove ? STATUS_PROCEDURE_NOT_FOUND : STATUS_INVALID_PARAMETER;
}

好了,方法已經(jīng)知道了,只要找出地址,我們就能夠“全身而退”了。看一下Windows2003下面的PsRemoveCreateThreadNotifyRoutine實現(xiàn): 

lkd> u PsRemoveCreateThreadNotifyRoutine l 20
nt!PsRemoveCreateThreadNotifyRoutine:
80651d7b 53               push    ebx
80651d7c 56               push    esi
80651d7d 57               push    edi
80651d7e 33db             xor     ebx,ebx
80651d80 bf400f5780       mov     edi,0x80570f40    //起始地址
80651d85 57               push    edi
80651d86 e8a7500100 call nt!ExWaitForRundownProtectionRelease+0x5cf (80666e32)
80651d8b 8bf0             mov     esi,eax
80651d8d 85f6             test    esi,esi
80651d8f 7420         jz nt!PsRemoveCreateThreadNotifyRoutine+0x36 (80651db1)
80651d91 56               push    esi
80651d92 e8ba1bffff      call nt!IoReportTargetDeviceChange+0x7aa0 (80643951)
80651d97 3b442410         cmp     eax,[esp+0x10]
80651d9b 750d        jnz nt!PsRemoveCreateThreadNotifyRoutine+0x2f (80651daa)
80651d9d 56               push    esi
80651d9e 6a00             push    0x0
80651da0 57               push    edi
80651da1 e8c54f0100 call nt!ExWaitForRundownProtectionRelease+0x508 (80666d6b)
80651da6 84c0             test    al,al
80651da8 751b        jnz nt!PsRemoveCreateThreadNotifyRoutine+0x4a (80651dc5)
80651daa 56               push    esi
80651dab 57               push    edi
80651dac e892510100 call nt!ExWaitForRundownProtectionRelease+0x6e0 (80666f43)
80651db1 43               inc     ebx
80651db2 83c704           add     edi,0x4
80651db5 83fb08           cmp     ebx,0x8    //看是否到了最大數(shù)(8)
80651db8 72cb          jb nt!PsRemoveCreateThreadNotifyRoutine+0xa (80651d85)
80651dba b87a0000c0       mov     eax,0xc000007a
80651dbf 5f               pop     edi
80651dc0 5e               pop     esi
80651dc1 5b               pop     ebx
80651dc2 c20400           ret     0x4

lkd> dd 0x80570f40                //設(shè)置了監(jiān)視函數(shù)后
80570f40  e316e557 00000000 00000000 00000000
.............................

lkd> dd 0x80570f40                //清除了監(jiān)視函數(shù)后
80570f40  00000000 00000000 00000000 00000000

哈哈,下面是實現(xiàn)代碼,代碼中實現(xiàn)了進線的的監(jiān)視,并且實現(xiàn)了遠線程的監(jiān)視: 

Drivers.c
//////////////////////////////////////////////////////////////////////////////////////////
// 
// Made By ZwelL

#include "ntddk.h"
#include "windef.h"
#include "define.h"

#define SYSNAME "System"
#define VERSIONLEN 100

const WCHAR devLink[]  = L"\\??\\MyEvent";
const WCHAR devName[]  = L"\\Device\\MyEvent";
UNICODE_STRING          devNameUnicd;
UNICODE_STRING          devLinkUnicd;    
PVOID                    gpEventObject = NULL;            // 與應(yīng)用程序通信的 Event 對象
ULONG                    ProcessNameOffset =0;
PVOID                    outBuf[255];
BOOL                    g_bMainThread; 
ULONG                    g_dwParentId;
CHECKLIST                CheckList;
ULONG                    BuildNumber;                    //系統(tǒng)版本號                    
ULONG                    SYSTEMID;                    //System進程的ID
PWCHAR                    Version[VERSIONLEN];

NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);

ULONG GetProcessNameOffset()
{
    PEPROCESS curproc;
    int i;

    curproc = PsGetCurrentProcess();

    for( i = 0; i < 3*PAGE_SIZE; i++ ) 
    {
        if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) 
        {
            return i;
        }
    }

    return 0;
}

NTSTATUS GetRegValue(PCWSTR RegPath,PCWSTR ValueName,PWCHAR Value)
{
    int ReturnValue = 0;
    NTSTATUS Status;
    OBJECT_ATTRIBUTES ObjectAttributes;
    HANDLE KeyHandle;
    PKEY_VALUE_PARTIAL_INFORMATION valueInfoP;
    ULONG valueInfoLength,returnLength;
    UNICODE_STRING UnicodeRegPath;
    UNICODE_STRING UnicodeValueName;

    RtlInitUnicodeString(&UnicodeRegPath, RegPath);
    RtlInitUnicodeString(&UnicodeValueName, ValueName);

    InitializeObjectAttributes(&ObjectAttributes,
        &UnicodeRegPath,
        OBJ_CASE_INSENSITIVE, // Flags
        NULL, // Root directory
        NULL); // Security descriptor

    Status = ZwOpenKey(&KeyHandle,
        KEY_ALL_ACCESS,
        &ObjectAttributes);
    if (Status != STATUS_SUCCESS)
    {
        DbgPrint("ZwOpenKey Wrong\n");
        return 0;
    }

    valueInfoLength = sizeof(KEY_VALUE_PARTIAL_INFORMATION)+VERSIONLEN;
    valueInfoP =    (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool
                                                    (NonPagedPool, valueInfoLength);
    Status = ZwQueryValueKey(KeyHandle,
        &UnicodeValueName,
        KeyValuePartialInformation,
        valueInfoP,
        valueInfoLength,
        &returnLength);

    if (!NT_SUCCESS(Status))
    {
        DbgPrint("ZwQueryValueKey Wrong:%08x\n",Status);
        return Status;
    }
    else
    {
        RtlCopyMemory((PCHAR)Value, (PCHAR)valueInfoP->Data, valueInfoP->DataLength);
        ReturnValue = 1;
    }

    if(!valueInfoP);
        ExFreePool(valueInfoP);
    ZwClose(KeyHandle);
    return ReturnValue;
}

VOID MyRemoveCraeteThreadNotifyRoutine(
                                       IN PCREATE_THREAD_NOTIFY_ROUTINE  NotifyRoutine
                                       )
{
    //PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
    PVOID ptr=NULL;
    if(BuildNumber==2195)                                    //Windows 2000 Sp4,2195
                                                            //低于sp4的我沒有調(diào)試
    {
        ptr=0x80484520;
    }
    else if(BuildNumber==2600)        
    {
        if(wcscmp(Version,L"Service Pack 1")==0)            //Windows Xp Sp1,2600
            ptr=0x8054efc0;
        else if(wcscmp(Version,L"Service Pack 2")==0)        //Windows Xp Sp2,2600
            ptr=0x80561d20;
    }
    else if(BuildNumber==3790)                                //Windows 2003 server,3790
    {
        ptr=0x80570f40;
    }
    if(ptr!=NULL)
        memset(ptr, 0, sizeof(ULONG)*8);
}

VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN  bCreate)
{

    PEPROCESS   EProcess,PEProcess;
    NTSTATUS    status;
    HANDLE        dwParentPID;

    status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
    if (!NT_SUCCESS( status ))
    {
        DbgPrint("PsLookupProcessByProcessId()\n");
        return ;
    }    

    if ( bCreate )
    {
        dwParentPID=PsGetCurrentProcessId();
        status = PsLookupProcessByProcessId( 
            (ULONG)dwParentPID, 
            &PEProcess);
        if (!NT_SUCCESS( status ))
        {
            DbgPrint("PsLookupProcessByProcessId()\n");
            return ;
        }
        if(PId==4)    //System進程創(chuàng)建的東東我們不管
                //在2000下是0,在XP后是4
            return;
        if((g_bMainThread==TRUE)
            &&(g_dwParentId != dwParentPID)
            &&(dwParentPID != PId)
            )
        {
            g_bMainThread=FALSE;
            sprintf(outBuf, "=============================="
                "Remote Thread :"
                "=============================="
                "\nT:%18s%9d%9d%25s%9d\n"
                "======================================"
                "======================================\n", 
                (char *)((char *)EProcess+ProcessNameOffset),
                PId, TId,
                (char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
            if(gpEventObject!=NULL)
                KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
        }
        if(CheckList.ONLYSHOWREMOTETHREAD)    //只顯示遠線程
            return;
        DbgPrint( "T:%18s%9d%9d%25s%9d\n", 
            (char *)((char *)EProcess+ProcessNameOffset),
            PId, TId,
            (char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
        sprintf(outBuf, "T:%18s%9d%9d%25s%9d\n", 
            (char *)((char *)EProcess+ProcessNameOffset),
            PId, TId,
            (char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
        if(gpEventObject!=NULL)
            KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
    }
    else if(CheckList.SHOWTERMINATETHREAD)
    {
        DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);
        sprintf(outBuf,"TERMINATED == THREAD ID: %d\n", TId);
        if(gpEventObject!=NULL)
            KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
    }
}


VOID ProcessCreateMon ( HANDLE hParentId, HANDLE PId, BOOLEAN bCreate )
{

    PEPROCESS        EProcess,PProcess;
    NTSTATUS        status;
    HANDLE            TId;

    g_dwParentId = hParentId;
    status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
    if (!NT_SUCCESS( status ))
    {
        DbgPrint("PsLookupProcessByProcessId()\n");
        return ;
    }
    status = PsLookupProcessByProcessId((ULONG)hParentId, &PProcess);
    if (!NT_SUCCESS( status ))
    {
        DbgPrint("PsLookupProcessByProcessId()\n");
        return ;
    }

    if ( bCreate )
    {
        g_bMainThread = TRUE;
        DbgPrint( "P:%18s%9d%9d%25s%9d\n",
            (char *)((char *)EProcess+ProcessNameOffset),
            PId,PsGetCurrentThreadId(),
            (char *)((char *)PProcess+ProcessNameOffset),
            hParentId
            );
        sprintf(outBuf, "P:%18s%9d%9d%25s%9d\n",
            (char *)((char *)EProcess+ProcessNameOffset),
            PId,PsGetCurrentThreadId(),
            (char *)((char *)PProcess+ProcessNameOffset),
            hParentId
            );
        if(gpEventObject!=NULL)
            KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
    }
    else if(CheckList.SHOWTERMINATEPROCESS)
    {
        DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
        sprintf(outBuf,"TERMINATED == PROCESS ID: %d\n", PId);
        if(gpEventObject!=NULL)
            KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
    }

}

NTSTATUS OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
    NTSTATUS            status;
    DbgPrint("OnUnload called\n");
    if(gpEventObject)
        ObDereferenceObject(gpEventObject); 
    PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
    MyRemoveCraeteThreadNotifyRoutine(ThreadCreateMon);
    if(pDriverObject->DeviceObject != NULL)
    {
        status=IoDeleteSymbolicLink( &devLinkUnicd );
        if ( !NT_SUCCESS( status ) )
        {
            DbgPrint((  "IoDeleteSymbolicLink() failed\n" ));
            return status; 
        }
        IoDeleteDevice( pDriverObject->DeviceObject );
    }
    return STATUS_SUCCESS;
}

NTSTATUS DeviceIoControlDispatch(
                                 IN  PDEVICE_OBJECT  DeviceObject,
                                 IN  PIRP            pIrp
                                 )
{
    PIO_STACK_LOCATION              irpStack;
    NTSTATUS                        status;
    PVOID                           inputBuffer;
    ULONG                           inputLength;
    PVOID                           outputBuffer;
    ULONG                           outputLength;
    OBJECT_HANDLE_INFORMATION        objHandleInfo;

    status = STATUS_SUCCESS;
    // 取出IOCTL請求代碼
    irpStack = IoGetCurrentIrpStackLocation(pIrp);

    switch (irpStack->MajorFunction)
    {
    case IRP_MJ_CREATE :
        DbgPrint("Call IRP_MJ_CREATE\n");
        break;
    case IRP_MJ_CLOSE:
        DbgPrint("Call IRP_MJ_CLOSE\n");
        break;
    case IRP_MJ_DEVICE_CONTROL:
        DbgPrint("IRP_MJ_DEVICE_CONTROL\n");
        inputLength=irpStack->Parameters.DeviceIoControl.InputBufferLength;
        outputLength=irpStack->Parameters.DeviceIoControl.OutputBufferLength;
        switch (irpStack->Parameters.DeviceIoControl.IoControlCode) 
        {
        case IOCTL_PASSEVENT:    //用事件做通信
            inputBuffer = pIrp->AssociatedIrp.SystemBuffer;

            DbgPrint("inputBuffer:%08x\n", (HANDLE)inputBuffer);
            status = ObReferenceObjectByHandle(*(HANDLE *)inputBuffer,
                GENERIC_ALL,
                NULL,
                KernelMode,
                &gpEventObject,
                &objHandleInfo);

            if(status!=STATUS_SUCCESS)
            {
                DbgPrint("wrong\n");
                break;
            }
            break;
        case IOCTL_UNPASSEVENT:
            if(gpEventObject)
                ObDereferenceObject(gpEventObject); 
            DbgPrint("UNPASSEVENT called\n");
            break;
        case IOCTL_PASSBUF:
            RtlCopyMemory(pIrp->UserBuffer, outBuf, outputLength);
            break;
        case IOCTL_PASSEVSTRUCT:
            inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
            memset(&CheckList, 0, sizeof(CheckList));
            RtlCopyMemory(&CheckList, inputBuffer, sizeof(CheckList));
            DbgPrint("%d:%d\n", CheckList.ONLYSHOWREMOTETHREAD, CheckList.SHOWTHREAD);
            break;
        default:
            break;
        }
        break;
    default:
        DbgPrint("Call IRP_MJ_UNKNOWN\n");
        break;
    }

    pIrp->IoStatus.Status = status; 
    pIrp->IoStatus.Information = 0; 
    IoCompleteRequest (pIrp, IO_NO_INCREMENT);
    return status;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING 
theRegistryPath )
{
    NTSTATUS                Status;    
    PDEVICE_OBJECT            pDevice;

    DbgPrint("DriverEntry called!\n");
    g_bMainThread = FALSE;

    if(1!=GetRegValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows 
NT\\CurrentVersion", L"CSDVersion", Version))
    {
        DbgPrint("GetRegValueDword Wrong\n");
    }
    PsGetVersion(NULL, NULL, &BuildNumber, NULL);
    DbgPrint("[[[%d]]]:[[[%ws]]]", BuildNumber, Version);

    RtlInitUnicodeString (&devNameUnicd, devName );
    RtlInitUnicodeString (&devLinkUnicd, devLink );

    Status = IoCreateDevice ( pDriverObject,
        0,
        &devNameUnicd,
        FILE_DEVICE_UNKNOWN,
        0,
        TRUE,
        &pDevice );
    if( !NT_SUCCESS(Status)) 
    {
        DbgPrint(("Can not create device.\n"));
        return Status;
    }

    Status = IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);
    if( !NT_SUCCESS(Status)) 
    {
        DbgPrint(("Cannot create link.\n"));
        return Status;
    }

    ProcessNameOffset = GetProcessNameOffset();

    pDriverObject->DriverUnload  = OnUnload; 
    pDriverObject->MajorFunction[IRP_MJ_CREATE] = 
        pDriverObject->MajorFunction[IRP_MJ_CLOSE] =
        pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControlDispatch;

    Status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
    if (!NT_SUCCESS( Status ))
    {
        DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
        return Status;
    }

    Status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
    if (!NT_SUCCESS( Status ))
    {
        DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
        return Status;
    }

    return STATUS_SUCCESS;
}
//////////////////////////////////////////////////////////////////////////////////////////


main.c,這里我用事件做為通信驅(qū)動
//////////////////////////////////////////////////////////////////////////////////////////
// Made By ZwelL

#include 
#include 
#include "define.h"

int main()
{
    HANDLE        hDevice;     
    bool        status; 
    HANDLE        m_hCommEvent;
    ULONG        dwReturn;
    char        outbuf[255];
    CHECKLIST    CheckList;

    hDevice = NULL;
    m_hCommEvent = NULL;
    hDevice = CreateFile( "\\\\.\\MyEvent",
                    GENERIC_READ|GENERIC_WRITE,
                    FILE_SHARE_READ | FILE_SHARE_WRITE, 
                    NULL,
                    OPEN_EXISTING, 
                    FILE_ATTRIBUTE_NORMAL, 
                    NULL);
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("createfile wrong\n");
        getchar();
        return 0;
    }

    m_hCommEvent = CreateEvent(NULL,
                                  false,
                                  false,
                                  NULL);
    printf("hEvent:%08x\n", m_hCommEvent);

    status =DeviceIoControl(hDevice,
                IOCTL_PASSEVENT,
                &m_hCommEvent,
                sizeof(m_hCommEvent),
                NULL,
                0,
                &dwReturn,
                NULL); 
    if( !status)
    {
        printf("IO wrong+%d\n", GetLastError());
        getchar();
        return 0;
    }

    CheckList.ONLYSHOWREMOTETHREAD=TRUE;
    CheckList.SHOWTHREAD=TRUE;
    CheckList.SHOWTERMINATETHREAD=FALSE;
    CheckList.SHOWTERMINATEPROCESS=FALSE;
    status =DeviceIoControl(hDevice,
                IOCTL_PASSEVSTRUCT,
                &CheckList,
                sizeof(CheckList),
                NULL,
                0,
                &dwReturn,
                NULL); 
    if( !status)
    {
        printf("IO wrong+%d\n", GetLastError());
        getchar();
        return 0;
    }

    printf("      [Process Name]    [PID]    [TID]    [Parent Process Name]    [PID]    
[TID]\n");
    while(1)
    {
        ResetEvent(m_hCommEvent);
        WaitForSingleObject(m_hCommEv, ent, INFINITE);
        status =DeviceIoControl(hDevice,
                    IOCTL_PASSBUF,
                    NULL,
                    0,
                    &outbuf,
                    sizeof(outbuf),
                    &dwReturn,
                    NULL); 
        if( !status)
        {
            printf("IO wrong+%d\n", GetLastError());
            getchar();
            return 0;
        }
        printf("%s", outbuf);
    }

    status =DeviceIoControl(hDevice,
                IOCTL_UNPASSEVENT,
                NULL,
                0,
                NULL,
                0,
                &dwReturn,
                NULL); 
    if( !status)
    {
        printf("UNPASSEVENT wrong+%d\n", GetLastError());
        getchar();
        return 0;
    }

    status = CloseHandle( hDevice );
    status = CloseHandle(m_hCommEvent);
    getchar();
    return 0;
}

//////////////////////////////////////////////////////////////////////////////////////////

define.h
//////////////////////////////////////////////////////////////////////////////////////////
#include "stdio.h"

#define FILE_DEVICE_EVENT  0x8000

// Define Interface reference/dereference routines for
// Interfaces exported by IRP_MN_QUERY_INTERFACE

#define EVENT_IOCTL(index) \
    CTL_CODE(FILE_DEVICE_EVENT, index, METHOD_BUFFERED, FILE_READ_DATA)

#define IOCTL_PASSEVENT \
    CTL_CODE(FILE_DEVICE_EVENT, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSBUF \
    CTL_CODE(FILE_DEVICE_EVENT, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNPASSEVENT \
    CTL_CODE(FILE_DEVICE_EVENT, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSEVSTRUCT \
    CTL_CODE(FILE_DEVICE_EVENT, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)

typedef struct        //這個結(jié)構(gòu)主要用于調(diào)試用
{
    BOOL SHOWTHREAD;
    BOOL ONLYSHOWREMOTETHREAD;
    BOOL SHOWTERMINATEPROCESS;
    BOOL SHOWTERMINATETHREAD;
}CHECKLIST, *PCHECKLIST;


//////////////////////////////////////////////////////////////////////////////////////////

先用驅(qū)動加載工具加載驅(qū)動,再運行程序,可以監(jiān)視到進程線的操作信息,并且可以實現(xiàn)監(jiān)視遠線程的創(chuàng)建。個人認為很完美。

下面的運行結(jié)果: 

hEvent:00000010
      [Process Name]    [PID]    [TID]    [Parent Process Name]    [PID]    [TID]
T:       svchost.exe      940     3540              svchost.exe      940
T:      explorer.exe     1680     3564             explorer.exe     1680
P:       notepad.exe     3568     1684             explorer.exe     1680
T:       notepad.exe     3568     3572             explorer.exe     1680
T:       svchost.exe     1036     3576              svchost.exe     1036
T:           cmd.exe     3580     3084             explorer.exe     1680
P:        doskey.exe     3608     3084                  cmd.exe     3580
T:       taskmgr.exe      352     3752             explorer.exe     1680
T:       svchost.exe     1036     2492              svchost.exe     1036
T:        remote.exe     3824     3828                  cmd.exe     3580
==============================Remote Thread :==============================
T:            hh.exe     3116     3832               remote.exe     3824
============================================================================


熱詞搜索:

上一篇:黑客技巧談之創(chuàng)建高權(quán)限進程的方法
下一篇:系統(tǒng)安全之如何搞定C++內(nèi)存泄漏

分享到: 收藏
国产一级一区二区_segui88久久综合9999_97久久夜色精品国产_欧美色网一区二区
成人激情校园春色| 欧美久久高跟鞋激| 五月天丁香久久| 久久久99精品久久| 欧美日韩国产经典色站一区二区三区| 麻豆极品一区二区三区| 亚洲在线免费播放| 中文字幕精品一区二区精品绿巨人 | 91黄色激情网站| 激情综合色综合久久| 亚洲一区在线看| 亚洲欧洲日产国码二区| 精品国产乱码久久久久久老虎| 在线观看视频一区二区| av网站免费线看精品| 韩日av一区二区| 日韩电影网1区2区| 午夜视频在线观看一区| 一区二区三区在线看| 国产精品久久久久久亚洲伦| 欧美电影免费观看高清完整版在线观看| 色综合天天综合网天天狠天天| 国产精品1024| 久久99精品国产91久久来源| 视频一区视频二区中文| 亚洲综合成人在线| 亚洲视频一区二区免费在线观看| www成人在线观看| 欧美电影免费观看高清完整版| 欧美日韩高清在线| 欧美日韩中文字幕一区| 在线观看日产精品| 在线免费观看不卡av| 91蜜桃网址入口| 91香蕉视频黄| 99久久99久久精品国产片果冻| 成人午夜在线播放| 99视频超级精品| av不卡在线观看| 成人福利电影精品一区二区在线观看 | 91精品久久久久久蜜臀| 欧美老年两性高潮| 51午夜精品国产| 91麻豆精品久久久久蜜臀| 欧美日韩日日夜夜| 在线观看91av| 欧美一级欧美一级在线播放| 日韩一级精品视频在线观看| 日韩欧美一区二区在线视频| 欧美一区日韩一区| 欧美成人在线直播| 久久婷婷国产综合国色天香| 久久久国际精品| 国产精品久久久久影院色老大| 国产精品无遮挡| 亚洲欧洲精品天堂一级 | 国产精品久久久久久久第一福利| 成人免费在线观看入口| 亚洲免费观看在线观看| 亚洲成人动漫精品| 精品一区免费av| 国产高清亚洲一区| 99v久久综合狠狠综合久久| 欧美三级在线看| 91精品国产欧美一区二区| 久久综合九色综合久久久精品综合| 26uuu国产一区二区三区 | 日韩成人精品在线| 极品尤物av久久免费看| 99久久精品费精品国产一区二区| 色8久久人人97超碰香蕉987| 欧美精品国产精品| 久久婷婷色综合| 日韩理论电影院| 午夜激情一区二区| 国产麻豆精品在线| 在线观看亚洲一区| 日韩免费观看2025年上映的电影| 国产欧美一区二区精品婷婷| 亚洲天天做日日做天天谢日日欢 | 国产欧美日韩综合精品一区二区| 最新高清无码专区| 日本不卡的三区四区五区| 国产成人av网站| 欧美特级限制片免费在线观看| 欧美电影免费观看完整版| 亚洲视频在线一区二区| 男人的j进女人的j一区| 91在线国产福利| 欧美电影免费观看高清完整版 | a在线欧美一区| 欧美猛男男办公室激情| 日本一区二区三区四区在线视频| 亚洲小说欧美激情另类| 国产精品18久久久| 日韩一区二区在线观看| 亚洲三级电影全部在线观看高清| 喷水一区二区三区| 91成人网在线| 国产女人18毛片水真多成人如厕| 亚洲国产人成综合网站| 成人av免费在线| 日韩欧美一级在线播放| 亚洲综合精品自拍| 99视频在线观看一区三区| 欧美大胆人体bbbb| 一区二区不卡在线视频 午夜欧美不卡在| 日韩成人午夜精品| 欧美视频在线不卡| 日韩毛片精品高清免费| 国产1区2区3区精品美女| 日韩一区二区精品| 亚洲成a人v欧美综合天堂下载| 99麻豆久久久国产精品免费优播| 精品99久久久久久| 日韩va亚洲va欧美va久久| 在线亚洲高清视频| 国产精品久久影院| 国产一区二区三区精品欧美日韩一区二区三区 | 亚洲欧美日韩中文播放| 国产又黄又大久久| 日韩一级片网站| 日韩精品一区第一页| 91黄色免费网站| 一区二区三区在线免费播放| 99久久精品久久久久久清纯| 中国av一区二区三区| 国产老女人精品毛片久久| 日韩免费看的电影| 天天色图综合网| 欧美日韩卡一卡二| 日韩综合一区二区| 欧美日韩中文另类| 亚洲一区二区精品久久av| 在线免费观看一区| 亚洲国产成人porn| 欧美人与z0zoxxxx视频| 亚洲午夜视频在线观看| 欧美三级在线视频| 日本aⅴ亚洲精品中文乱码| 欧美精品在线一区二区三区| 亚瑟在线精品视频| 欧美日产国产精品| 日韩高清在线电影| 精品久久一区二区三区| 激情欧美一区二区| 欧美韩国日本不卡| 99riav一区二区三区| 亚洲一区二区四区蜜桃| 欧美色图12p| 日韩精品高清不卡| 精品国产凹凸成av人网站| 国产一区二区三区不卡在线观看| 国产日韩三级在线| 92精品国产成人观看免费| 一区二区在线免费| 欧美精品自拍偷拍| 激情综合色综合久久| 欧美激情一区二区三区全黄| 91美女福利视频| 石原莉奈在线亚洲二区| 精品国产一区a| 成人精品免费网站| 亚洲二区在线视频| 精品国产区一区| 不卡一区二区在线| 亚洲第一激情av| 欧美xxx久久| 99久久综合狠狠综合久久| 亚洲一区二三区| 久久亚洲精华国产精华液| 成人黄色综合网站| 午夜精品福利一区二区蜜股av| 久久天天做天天爱综合色| 色呦呦一区二区三区| 麻豆成人91精品二区三区| 中文字幕亚洲综合久久菠萝蜜| 欧美三级日韩三级| 国产成人自拍在线| 亚洲小说春色综合另类电影| 欧美精品一区在线观看| 色婷婷综合久久久中文字幕| 首页综合国产亚洲丝袜| 欧美激情一区二区在线| 在线播放视频一区| 国产精品一品二品| 午夜不卡在线视频| 国产精品麻豆久久久| 日韩一区二区三| 一本大道av伊人久久综合| 激情五月婷婷综合网| 亚洲影视在线观看| 国产网站一区二区三区| 欧美日免费三级在线| 成人99免费视频| 国内精品伊人久久久久av一坑| 亚洲成人综合网站| 国产精品理论片| 精品国产免费一区二区三区四区| 色88888久久久久久影院按摩|