七、回调

zhang_derek

发布于 2022-09-29 11:53:19

1.5K0

发布于 2022-09-29 11:53:19

7.1.进程回调

DriverMain.c

#include <ntifs.h>

PUCHAR PsGetProcessImageFileName(PEPROCESS Process);

//创建进程回调函数
VOID CreateProcessListen(
	_In_ HANDLE ParentId,
	_In_ HANDLE ProcessId,
	_In_ BOOLEAN Create
)
{
	PEPROCESS Process = NULL;
	NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
	if (!NT_SUCCESS(status))
	{
		return;
	}

	//创建进程
	if (Create)
	{
		DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
	}
	else
	{
		DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
	}
    
	ObDereferenceObject(Process);
}


VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);
	DbgPrint("卸载驱动\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
    //创建进程回调
	PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);

	pDriver->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

修改PspNotifyEnableMask为00000009，创建和退出进程时就不会触发回调

kd> dd PspNotifyEnableMask
83f4c838  0000000b 00000000 8ad0e54f 00000000
83f4c848  00000000 00000000 00000000 00000000
83f4c858  00000000 00000000 00000000 00000000
83f4c868  00000000 00000000 00000000 00000000
83f4c878  00000000 00000000 00000000 00000000
83f4c888  00000000 00000000 00000000 00000000
83f4c898  00000000 00000000 00000000 00000000
83f4c8a8  00000000 00000000 00000000 00000000
kd> ed 83f4c838 00000009
kd> g

7.2.线程回调

DriverMain.c

#include <ntifs.h>

PUCHAR PsGetProcessImageFileName(PEPROCESS Process);

VOID CreateProcessListen(
	_In_ HANDLE ParentId,
	_In_ HANDLE ProcessId,
	_In_ BOOLEAN Create
)
{
	PEPROCESS Process = NULL;
	NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
	if (!NT_SUCCESS(status))
	{
		return;
	}

	//创建进程
	if (Create)
	{
		DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
	}
	else
	{
		DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
	}
	
    ObDereferenceObject(Process);
}


VOID createThreadListen(
	_In_ HANDLE ProcessId,
	_In_ HANDLE ThreadId,
	_In_ BOOLEAN Create
)
{
	if (Create)
	{
		DbgPrintEx(77, 0, "[db]线程创建了\r\n");
	}
	else
	{
		DbgPrintEx(77, 0, "[db]线程结束了\r\n");
	}
}


VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	//PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);

	PsRemoveCreateThreadNotifyRoutine(createThreadListen);

	DbgPrint("卸载驱动\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
	//PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);

	PsSetCreateThreadNotifyRoutine(createThreadListen);


	pDriver->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

修改PspNotifyEnableMask为00000007,创建和退出线程时就不会触发回调

7.3.模块回调

DriverMain.c

#include <ntifs.h>

PUCHAR PsGetProcessImageFileName(PEPROCESS Process);

VOID CreateProcessListen(
	_In_ HANDLE ParentId,
	_In_ HANDLE ProcessId,
	_In_ BOOLEAN Create
)
{
	PEPROCESS Process = NULL;
	NTSTATUS status = PsLookupProcessByProcessId(ProcessId, &Process);
	if (!NT_SUCCESS(status))
	{
		return;
	}

	//创建进程
	if (Create)
	{
		DbgPrintEx(77,0,"[db]:%s 创建了\r\n", PsGetProcessImageFileName(Process));
	}
	else
	{
		DbgPrintEx(77, 0, "[db]:%s 退出了\r\n", PsGetProcessImageFileName(Process));
	}
    
	ObDereferenceObject(Process);
}


VOID createThreadListen(
	_In_ HANDLE ProcessId,
	_In_ HANDLE ThreadId,
	_In_ BOOLEAN Create
)
{
	if (Create)
	{
		DbgPrintEx(77, 0, "[db]线程创建了\r\n");
	}
	else
	{
		DbgPrintEx(77, 0, "[db]线程结束了\r\n");
	}
}

VOID LoadImageListen(
	_In_opt_ PUNICODE_STRING FullImageName,
	_In_ HANDLE ProcessId,                // pid into which image is being mapped
	_In_ PIMAGE_INFO ImageInfo
)
{
	if (ImageInfo->SystemModeImage)
	{
		DbgPrintEx(77, 0, "[db]驱动模块: %wZ\r\n", FullImageName);
	}
	else
	{
		DbgPrintEx(77, 0, "[db]普通DLL: %wZ\r\n", FullImageName);
	}
}


VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	//PsSetCreateProcessNotifyRoutine(CreateProcessListen, TRUE);

	//PsRemoveCreateThreadNotifyRoutine(createThreadListen);

	PsRemoveLoadImageNotifyRoutine(LoadImageListen);

	DbgPrint("卸载驱动\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
	//PsSetCreateProcessNotifyRoutine(CreateProcessListen,FALSE);

	//PsSetCreateThreadNotifyRoutine(createThreadListen);

	PsSetLoadImageNotifyRoutine(LoadImageListen);


	pDriver->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

_IMAGE_INFO结构体

typedef struct _IMAGE_INFO {
    union {
        ULONG Properties;
        struct {
            ULONG ImageAddressingMode  : 8;  // Code addressing mode
            ULONG SystemModeImage      : 1;  // System mode image
            ULONG ImageMappedToAllPids : 1;  // Image mapped into all processes
            ULONG ExtendedInfoPresent  : 1;  // IMAGE_INFO_EX available
            ULONG MachineTypeMismatch  : 1;  // Architecture type mismatch
            ULONG ImageSignatureLevel  : 4;  // Signature level
            ULONG ImageSignatureType   : 3;  // Signature type
            ULONG ImagePartialMap      : 1;  // Nonzero if entire image is not mapped
            ULONG Reserved             : 12;
        };
    };
    PVOID       ImageBase;
    ULONG       ImageSelector;
    SIZE_T      ImageSize;
    ULONG       ImageSectionNumber;
} IMAGE_INFO, *PIMAGE_INFO;

修改PspNotifyEnableMask为0000000e,就不会触发模块回调

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2022-09-18，如有侵权请联系 cloudcommunity@tencent.com 删除

image