看流星社区

 找回密码
 注册账号
查看: 2150|回复: 0

Ps回调通知例程、Dpc定时器、内核线程使用方法.

[复制链接]

该用户从未签到

发表于 2017-6-1 17:25:27 | 显示全部楼层 |阅读模式
好久没发代码了,发个以前写的东西,代码是照葫芦画瓢来的,共同学习,共同进步,欢迎拍砖.

代码:
#ifndef_SAFENOTIFYROUTINE_H
#define_SAFENOTIFYROUTINE_H
/************************************************************************/
/************************************************************************/
#include<ntifs.h>
#include<wdm.h>
/************************************************************************/
/************************************************************************/
externPOBJECT_TYPE*PsProcessType;
typedefstruct_DEVICE_TIMER
{
PVOIDthread_pointer;
BOOLEANterminate_thread;
KEVENTrequest_event;
KTIMERkTimer;
KDPCKiTimerExpireDpc;
}DEVICE_TIMER,*PDEVICE_TIMER;
typedefclassSafeNotifyRoutine*PSafeNotifyRoutine;
/************************************************************************/
/************************************************************************/
#endif
[/code]


代码:
#ifndefSAFENOTIFYROUTINE_H
#defineSAFENOTIFYROUTINE_H
/************************************************************************/
/************************************************************************/
#include"_SafeNotifyRoutine.h"
/************************************************************************/
/************************************************************************/
classSafeNotifyRoutine
{
public:
BOOLEANInitializeCallBackNotify();
BOOLEANCleanupCallBackNotify();
BOOLEANInitializeTimerNotify(ULONGMillisecond);
BOOLEANCleanupTimerNotify();
private:
VOID_ZeroMemoryMember();
staticVOIDLoadImageNotifyCallBack(PUNICODE_STRINGFullImageName,HANDLEProcessId,PIMAGE_INFOImageInfo);
staticVOIDCreateThreadNotifyCallBack(HANDLEProcessId,HANDLEThreadId,BOOLEANCreate);
staticVOIDCreateProcessNotifyCallBack(HANDLEParentId,HANDLEProcessId,BOOLEANCreate);
staticVOIDDpcTimerNotifyCallBack(struct_KDPC*Dpc,PVOIDDeferredContext,PVOIDSystemArgument1,PVOIDSystemArgument2);
staticVOIDThreadNotifyCallBack(PVOIDContext);
BOOLEANGetFullPathByProcessId(ULONGProcessId,PUNICODE_STRINGFullImageName);
BOOLEANLdrLoadDllByProcessId(ULONGProcessId,char*szDllPath);
private:
BOOLEANIsLoadImage;
BOOLEANIsCreateProcess;
BOOLEANIsCreateThread;
PEPROCESS_pEprocess;
public:
DEVICE_TIMER_Timer;
};
#endif
[/code]


代码:
/************************************************************************/
/************************************************************************/
#include"SafeNotifyRoutine.h"
/************************************************************************/
/************************************************************************/
PSafeNotifyRoutineg_pThis=NULL;
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine::InitializeCallBackNotify()
{
this->_ZeroMemoryMember();
if(!NT_SUCCESS(PsSetLoadImageNotifyRoutine(SafeNotifyRoutine:oadImageNotifyCallBack)))
returnFALSE;
else
this->IsLoadImage=TRUE;
if(!NT_SUCCESS(PsSetCreateThreadNotifyRoutine(SafeNotifyRoutine::CreateThreadNotifyCallBack)))
returnFALSE;
else
this->IsCreateThread=TRUE;
if(!NT_SUCCESS(PsSetCreateProcessNotifyRoutine(SafeNotifyRoutine::CreateProcessNotifyCallBack,FALSE)))
returnFALSE;
else
this->IsCreateProcess=TRUE;
g_pThis=this;
returnTRUE;
}
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine::InitializeTimerNotify(ULONGMillisecond)
{
__try
{
LARGE_INTEGERduetime={0};
HANDLEThreadHandle;
KeInitializeEvent(&amp;this->_Timer.request_event,NotificationEvent,FALSE);
KeInitializeTimerEx(&amp;this->_Timer.kTimer,NotificationTimer);
KeInitializeDpc(&amp;this->_Timer.KiTimerExpireDpc,SafeNotifyRoutine:pcTimerNotifyCallBack,NULL);
KeSetTimerEx(&amp;this->_Timer.kTimer,duetime,Millisecond,&amp;this->_Timer.KiTimerExpireDpc);
this->_Timer.terminate_thread=FALSE;
if(!NT_SUCCESS(PsCreateSystemThread(&amp;ThreadHandle,0,NULL,NULL,NULL,SafeNotifyRoutine::ThreadNotifyCallBack,NULL)))
{
KdPrint(("sCreateSystemThreadFail.\n"));
returnFALSE;
}
if(!NT_SUCCESS(ObReferenceObjectByHandle(ThreadHandle,THREAD_ALL_ACCESS,NULL,KernelMode,&amp;this->_Timer.thread_pointer,NULL)))
{
KdPrint(("ObReferenceObjectByHandleFail.\n"));
ZwClose(ThreadHandle);
this->_Timer.terminate_thread=TRUE;
KeSetEvent(&amp;this->_Timer.request_event,(KPRIORITY)0,FALSE);
returnFALSE;
}
else
{
ZwClose(ThreadHandle);
}
returnTRUE;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("InitializeTimerNotifyExceptFail.\n"));
returnFALSE;
}
}
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine::CleanupTimerNotify()
{
__try
{
KeCancelTimer(&amp;g_pThis->_Timer.kTimer);
g_pThis->_Timer.terminate_thread=TRUE;
KeSetEvent(&amp;g_pThis->_Timer.request_event,(KPRIORITY)0,FALSE);
KeWaitForSingleObject(g_pThis->_Timer.thread_pointer,Executive,KernelMode,FALSE,NULL);
ObDereferenceObject(g_pThis->_Timer.thread_pointer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("CleanupTimerNotifyExceptFail.\n"));
returnFALSE;
}
returnTRUE;
}
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine::CleanupCallBackNotify()
{
if(this->IsLoadImage)
PsRemoveLoadImageNotifyRoutine(SafeNotifyRoutine:oadImageNotifyCallBack);
if(this->IsCreateThread)
PsRemoveCreateThreadNotifyRoutine(SafeNotifyRoutine::CreateThreadNotifyCallBack);
if(this->IsCreateProcess)
PsSetCreateProcessNotifyRoutine(SafeNotifyRoutine::CreateProcessNotifyCallBack,TRUE);
this->_ZeroMemoryMember();
returnTRUE;
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine::_ZeroMemoryMember()
{
this->IsLoadImage=FALSE;
this->IsCreateThread=FALSE;
this->IsCreateProcess=FALSE;
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine:oadImageNotifyCallBack(PUNICODE_STRINGFullImageName,HANDLEProcessId,PIMAGE_INFOImageInfo)
{
if(KeGetCurrentIrql()!=PASSIVE_LEVEL)
return;
DbgPrint("ImageName:%wZProcessId:%d\n",FullImageName,(ULONG)ProcessId);
g_pThis->LdrLoadDllByProcessId((ULONG)ProcessId,NULL);
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine::CreateThreadNotifyCallBack(HANDLEProcessId,HANDLEThreadId,BOOLEANCreate)
{
if(KeGetCurrentIrql()==PASSIVE_LEVEL&amp;&amp;Create)
{
DbgPrint("rocessId:%dThreadId:%d\n",(ULONG)ProcessId,(ULONG)ThreadId);
}
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine::CreateProcessNotifyCallBack(HANDLEParentId,HANDLEProcessId,BOOLEANCreate)
{
if(KeGetCurrentIrql()==PASSIVE_LEVEL&amp;&amp;Create)
{
UNICODE_STRINGFullImageName={512,1024,(PWCH)ExAllocatePoolWithTag(PagedPool,1024,'Safe')};
g_pThis->GetFullPathByProcessId((ULONG)ProcessId,&amp;FullImageName);
DbgPrint("arentId:%dProcessId:%dFullImageName:%wZ\n",(ULONG)ParentId,(ULONG)ProcessId,FullImageName);
ExFreePoolWithTag((PVOID)FullImageName.Buffer,'Safe');
}
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine:pcTimerNotifyCallBack(struct_KDPC*Dpc,PVOIDDeferredContext,PVOIDSystemArgument1,PVOIDSystemArgument2)
{
KdPrint(("hahadpcfunctionwork\n"));
KeSetEvent(&amp;g_pThis->_Timer.request_event,(KPRIORITY)0,FALSE);
}
/************************************************************************/
/************************************************************************/
VOIDSafeNotifyRoutine::ThreadNotifyCallBack(PVOIDContext)
{
KeSetPriorityThread(KeGetCurrentThread(),LOW_REALTIME_PRIORITY);
for(;;)
{
do
{
KdPrint(("threadworkok!!\n"));
gotofailselabel;
}
while(TRUE);
failselabel:
KeWaitForSingleObject(&amp;g_pThis->_Timer.request_event,Executive,KernelMode,FALSE,NULL);
KeResetEvent(&amp;g_pThis->_Timer.request_event);
if(g_pThis->_Timer.terminate_thread)
PsTerminateSystemThread(STATUS_SUCCESS);
}
}
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine::GetFullPathByProcessId(ULONGProcessId,PUNICODE_STRINGFullImageName)
{
HANDLEProcessHandle=NULL;
ULONGNumberOfBytes=8;
if(!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcessId,&amp;this->_pEprocess)))
{
KdPrint(("sLookupProcessByProcessIdFail\n"));
returnFALSE;
}
if(!NT_SUCCESS(ObOpenObjectByPointer(this->_pEprocess,OBJ_KERNEL_HANDLE,0,GENERIC_READ,*PsProcessType,0,&amprocessHandle)))
{
KdPrint(("ObOpenObjectByPointerFail\n"));
returnFALSE;
}
if(!NT_SUCCESS(NtQueryInformationProcess(ProcessHandle,ProcessImageFileName,0,0,&amp;NumberOfBytes)))
{
KdPrint(("NtQueryInformationProcessFail\n"));
returnFALSE;
}
if(FullImageName->MaximumLength<NumberOfBytes-sizeof(UNICODE_STRING))
{
KdPrint(("FullImageName->MaximumLengthBufferLengthTooSmall\n"));
returnFALSE;
}
PUNICODE_STRINGTmpImageName=(PUNICODE_STRING)ExAllocatePoolWithTag(PagedPool,NumberOfBytes,'Safe');
if(TmpImageName==NULL)
{
KdPrint(("ExAllocatePoolWithTagFail\n"));
returnFALSE;
}
if(NT_SUCCESS(NtQueryInformationProcess(ProcessHandle,ProcessImageFileName,TmpImageName,NumberOfBytes,&amp;NumberOfBytes)))
{
KdPrint(("FullImageName%wZ\n",TmpImageName->Buffer));
wcsncpy(FullImageName->Buffer,TmpImageName->Buffer,TmpImageName->Length);
}
ExFreePoolWithTag((PVOID)TmpImageName,'Safe');
return(NT_SUCCESS(ZwClose(ProcessHandle)));
}
/************************************************************************/
/************************************************************************/
BOOLEANSafeNotifyRoutine:drLoadDllByProcessId(ULONGProcessId,char*szDllPath)
{
HANDLEProcessHandle=NULL;
PVOIDpMemSpace=NULL;
if(!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcessId,&amp;this->_pEprocess)))
{
KdPrint(("sLookupProcessByProcessIdFail\n"));
returnFALSE;
}
ULONGsize=2000;
if(!NT_SUCCESS(ObOpenObjectByPointer(this->_pEprocess,OBJ_KERNEL_HANDLE,NULL,PROCESS_ALL_ACCESS,NULL,KernelMode,&amprocessHandle)))
{
KdPrint(("ObOpenObjectByPointerFail\n"));
returnFALSE;
}
if(!NT_SUCCESS(NtAllocateVirtualMemory(ProcessHandle,&amp;pMemSpace,0,&amp;size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)))
{
KdPrint(("NtAllocateVirtualMemoryFail\n"));
returnFALSE;
}
if(ProcessHandle!=NULL)
ObfDereferenceObject(ProcessHandle);
DbgPrint("MEMSPACEADDR:%x\n",(ULONG)pMemSpace);
}
[/code]
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 18:01

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表