驱动中使用加载回调来监控进程加载 或者DLL加载 驱动加载
#include "ntddk.h"
//#include "Ntifs.h"
//PVOID
NTSTATUS PsSetLoadImageNotifyRoutine(
PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
NTSTATUS PsRemoveLoadImageNotifyRoutine(
__in PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
//PVOID
void xxxx(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
){
if (ImageInfo->SystemModeImage==0)//判断是不是驱动加载
{
KdPrint(("NAME : %S ImageBase : %d PID: %d",FullImageName->Buffer,ImageInfo->ImageBase,ProcessId));
}
}
void DriverUnload(PDRIVER_OBJECT pobject){
PsRemoveLoadImageNotifyRoutine(xxxx);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pobj,PUNICODE_STRING pon){
PsSetLoadImageNotifyRoutine(xxxx);
pobj->DriverUnload=DriverUnload;
return STATUS_SUCCESS;
}
打开DEbugView就能够看见 那个进程加载了什么 至于 猥琐的事情嘿嘿你懂的= =
页:
[1]