开通博客赚积分
发布资源赚积分
分类

源码开发语言/平台
当前位置:首页 > 源码/资料 > Windows编程 > 钩子与API截获 > 查看源码
NtProcessMonitor.cpp
资源名称:apihook_Code.zip [点击查看]
上传用户:jstlsd
上传日期:2007-01-13
资源大小:186k
文件大小:7k
源码类别:

钩子与API截获

开发平台:

Visual C++

NtProcessMonitor.cpp:源码内容
  1. //---------------------------------------------------------------------------
  2. //
  3. // NtProcessMonitor.h
  4. //
  5. // SUBSYSTEM: 
  6. // API Hooking system
  7. // MODULE:    
  8. // Implements a thread that uses an NT device driver
  9. //              for monitoring process creation
  10. //
  11. // DESCRIPTION:
  12. //
  13. // AUTHOR: Ivo Ivanov (ivopi@hotmail.com)
  14. //                                                                         
  15. //---------------------------------------------------------------------------
  17. #include "..CommonCommon.h"
  18. #include "NtProcessMonitor.h"
  19. #include "..CommonSysUtils.h"
  20. #include <process.h>
  21. #include <winioctl.h>
  22. #include "NtDriverController.h"
  24. //---------------------------------------------------------------------------
  25. //
  26. // File scope consts and typedefs
  27. //
  28. //---------------------------------------------------------------------------
  30. #define FILE_DEVICE_UNKNOWN             0x00000022
  31. #define IOCTL_UNKNOWN_BASE              FILE_DEVICE_UNKNOWN
  33. #define IOCTL_PROCVIEW_GET_PROCINFO     CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
  36. //---------------------------------------------------------------------------
  37. //
  38. // Thread function prototype
  39. //
  40. //---------------------------------------------------------------------------
  41. typedef unsigned (__stdcall *PTHREAD_START) (void *);
  42. //---------------------------------------------------------------------------
  43. //
  44. // class CNtProcessMonitor
  45. //
  46. //---------------------------------------------------------------------------
  48. CNtProcessMonitor::CNtProcessMonitor():
  49. m_hShutdownEvent(NULL),
  50. m_hProcessEvent(NULL),
  51. m_bThreadActive(FALSE),
  52. m_dwThreadId(0),
  53. m_hDriver(INVALID_HANDLE_VALUE),
  54. m_pDriverCtl(NULL)
  55. {
  56. if (!IsWindows9x())
  57. m_pDriverCtl = new CNtDriverController();
  58. }
  60. CNtProcessMonitor::~CNtProcessMonitor()
  61. {
  62. delete m_pDriverCtl;
  63. }
  65. //
  66. // Accessor method
  67. //
  68. BOOL CNtProcessMonitor::Get_ThreadActive()
  69. {
  70. CLockMgr<CCSWrapper> lockMgr(m_CritSec, TRUE);
  71. return m_bThreadActive;
  72. }
  74. //
  75. // Accessor method
  76. //
  77. void CNtProcessMonitor::Set_ThreadActive(BOOL val)
  78. {
  79. CLockMgr<CCSWrapper> lockMgr(m_CritSec, TRUE);
  80. m_bThreadActive = val;
  81. }
  84. //
  85. // Accessor method
  86. //
  87. HANDLE CNtProcessMonitor::Get_ShutdownEvent() const
  88. {
  89. return m_hShutdownEvent;
  90. }
  92. //
  93. // Accessor method
  94. //
  95. HANDLE CNtProcessMonitor::Get_ProcessEvent() const
  96. {
  97. return m_hProcessEvent;
  98. }
  101. //
  102. // Activate / Stop the thread which gets the notification from the 
  103. // device driver
  104. //
  105. void CNtProcessMonitor::SetActive(BOOL bVal)
  106. {
  107. if (m_pDriverCtl)
  108. {
  109. if (bVal)
  110. {
  111. if (!Get_ThreadActive())
  112. {
  113. // Terminal Services W2K/XP: The name can have a "Global" 
  114. // prefix to explicitly create the object in the global 
  115. // or session name space.
  116. char szDriverName[MAX_PATH];
  117. if ( IsWindowsNT4() )
  118. strcpy(szDriverName, "\\.\NTProcDrv");
  119. else
  120. strcpy(szDriverName, "\\.\Global\NTProcDrv");
  122. // Try opening the device driver
  123. m_hDriver = CreateFile(
  124. szDriverName,
  125. GENERIC_READ | GENERIC_WRITE, 
  126. FILE_SHARE_READ | FILE_SHARE_WRITE,
  127. 0,                     // Default security
  128. OPEN_EXISTING,
  129. FILE_FLAG_OVERLAPPED,  // Perform asynchronous I/O
  130. 0);                    // No template
  131.         
  132. if(INVALID_HANDLE_VALUE == m_hDriver)
  133. return;
  134.     
  135. m_hShutdownEvent = ::CreateEvent(NULL, FALSE, FALSE, NULL);
  136. // Attach to KM-created event handle
  137. m_hProcessEvent = ::OpenEvent(
  138. SYNCHRONIZE, FALSE, "NTProcDrvProcessEvent");
  140. _beginthreadex(
  141. (void *)NULL,
  142. (unsigned)0,
  143. (PTHREAD_START)CNtProcessMonitor::ThreadFunc,
  144. (PVOID)this,
  145. (unsigned)0,
  146. (unsigned *)&m_dwThreadId
  147. );
  148. } // if
  150. else
  151. {
  152. if (Get_ThreadActive())
  153. {
  154. ::SetEvent(m_hShutdownEvent);
  155. // Give some time to the injector thread to clean up itself
  156. while (Get_ThreadActive())
  157. {
  158. }
  159. ::CloseHandle(m_hShutdownEvent);
  160. ::CloseHandle(m_hProcessEvent);
  161. m_dwThreadId = 0;
  162. if (NULL != m_hDriver)
  163. ::CloseHandle(m_hDriver);
  164. } // if
  165. } // else
  166. } // if
  167. }
  169. //
  170. // Retrieves data from the driver after received notification 
  171. //
  172. void CNtProcessMonitor::RetrieveProcessInfo(
  173. CALLBACK_INFO& callbackInfo,
  174. CALLBACK_INFO& callbackTemp
  175. )
  176. {
  177. OVERLAPPED ov          = { 0 };
  178. BOOL       bReturnCode = FALSE;
  179. DWORD      dwBytesReturned;
  181.     // Create an event handle for async notification from the driver
  182. ov.hEvent = ::CreateEvent(
  183. NULL,  // Default security
  184. TRUE,  // Manual reset
  185. FALSE, // non-signaled state
  186. NULL
  187. ); 
  189. // Get the process info
  190. bReturnCode = ::DeviceIoControl(
  191. m_hDriver,
  192. IOCTL_PROCVIEW_GET_PROCINFO,
  193. 0, 
  194. 0,
  195. &callbackInfo, sizeof(callbackInfo),
  196. &dwBytesReturned,
  197. &ov
  198. );
  200. // Wait here for the event handle to be set, indicating
  201. // that the IOCTL processing is completed.
  202. bReturnCode = ::GetOverlappedResult(
  203. m_hDriver, 
  204. &ov,
  205. &dwBytesReturned, 
  206. TRUE
  207. );
  209. ::CloseHandle(ov.hEvent);
  211. // Pevent getting duplicated events
  212. if((callbackTemp.ParentId  != callbackInfo.ParentId) ||
  213.    (callbackTemp.ProcessId != callbackInfo.ProcessId) ||
  214.    (callbackTemp.bCreate    != callbackInfo.bCreate))
  215. {
  216. if(callbackInfo.bCreate)
  217. // Process creation notification
  218. OnCreateProcess((DWORD)callbackInfo.ProcessId);
  219. else
  220. // Process termination notification
  221. OnTerminateProcess((DWORD)callbackInfo.ProcessId);
  222. } // if
  224. // Store the data for next time
  225. callbackTemp = callbackInfo;
  226. }
  228. //
  229. // The thread function 
  230. //
  231. unsigned __stdcall CNtProcessMonitor::ThreadFunc(void* pvParam)
  232. {
  233. CNtProcessMonitor* me = (CNtProcessMonitor*)pvParam;
  234. CALLBACK_INFO callbackInfo, callbackTemp;
  235. DWORD dwResult; 
  236. HANDLE handles[2] = 
  237. {
  238. me->Get_ShutdownEvent(),
  239. me->Get_ProcessEvent()
  240. };
  241. me->Set_ThreadActive(TRUE);
  243. while (TRUE)
  244. {
  245. dwResult = ::WaitForMultipleObjects(
  246. sizeof(handles)/sizeof(handles[0]), // number of handles in array
  247. &handles[0],                        // object-handle array
  248. FALSE,                              // wait option
  249. INFINITE                            // time-out interval
  250. );
  251. //
  252. // the system shuts down
  253. //
  254. if (handles[dwResult - WAIT_OBJECT_0] == me->Get_ShutdownEvent())
  255. break;
  256. //
  257. // A new process has been just created / or terminated
  258. //
  259. else
  260. me->RetrieveProcessInfo(
  261. callbackInfo, 
  262. callbackTemp
  263. );
  264. } // while
  265. me->Set_ThreadActive( FALSE );
  266. _endthreadex(0);
  267. return 0;
  268. }
  270. //----------------------------End of the file -------------------------------