#ifndef TYPEDEF_H #define TYPEDEF_H typedef PPEB (__stdcall *P_PsGetProcessPeb)(PEPROCESS); typedef unsigned char BYTE; typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { BYTE Reserved1[8]; PVOID Reserved2[3]; LIST_ENTRY InMemoryOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef VOID (NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) ( VOID ); typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; #endif
#include <Ntifs.h> #include <ntddk.h> #include <Ntstrsafe.h> #include "typedef.h" DRIVER_INITIALIZE DriverEntry; DRIVER_UNLOAD UnloadDevice; DRIVER_DISPATCH DispatchGen; VOID ProcessMon(HANDLE In_hParentId, HANDLE In_hProcessId, BOOLEAN In_BIsCreate) { ANSI_STRING astrProcessImage = {0}; ANSI_STRING astrProcessParam = {0}; PPEB pPEB = NULL; PRTL_USER_PROCESS_PARAMETERS pParam = NULL; UNICODE_STRING unstrFunName = {0}; PEPROCESS pEProcess = NULL; P_PsGetProcessPeb PsGetProcessPeb = NULL; KAPC_STATE KAPC = {0}; BOOLEAN BIsAttached = FALSE; if (In_BIsCreate == FALSE) { goto fun_ret; } if (!NT_SUCCESS(PsLookupProcessByProcessId(In_hProcessId, &pEProcess))) { goto fun_ret; } //__debugbreak(); RtlInitUnicodeString(&unstrFunName, L"PsGetProcessPeb"); PsGetProcessPeb = MmGetSystemRoutineAddress(&unstrFunName); if (PsGetProcessPeb == NULL) { goto fun_ret; } pPEB = PsGetProcessPeb(pEProcess); if (pPEB == NULL) { goto fun_ret; } KeStackAttachProcess(pEProcess, &KAPC); BIsAttached = TRUE; pParam = pPEB->ProcessParameters; if (pParam == NULL) { goto fun_ret; } if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessImage, &(pParam->ImagePathName), TRUE))) { DbgPrint("PID::%u %s ", In_hProcessId, astrProcessImage.Buffer); } if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessParam, &(pParam->CommandLine), TRUE))) { DbgPrint("PID::%u %s ", In_hProcessId, astrProcessParam.Buffer); } fun_ret: if (BIsAttached != FALSE) { KeUnstackDetachProcess(&KAPC); } if (pEProcess != NULL) { ObDereferenceObject(pEProcess); pEProcess = NULL; } RtlFreeAnsiString(&astrProcessImage); RtlFreeAnsiString(&astrProcessParam); return; } NTSTATUS DispatchGen(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) { if (In_pDevObj == NULL || In_pIRP == NULL) { return STATUS_SEVERITY_ERROR; } In_pIRP->IoStatus.Information = 0; In_pIRP->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(In_pIRP, IO_NO_INCREMENT); return STATUS_SUCCESS; } VOID UnloadDevice(PDRIVER_OBJECT In_pDriObj) { PsSetCreateProcessNotifyRoutine(ProcessMon, TRUE); if (In_pDriObj != NULL) { IoDeleteDevice(In_pDriObj->DeviceObject); } } NTSTATUS DriverEntry(PDRIVER_OBJECT In_pDriObj, PUNICODE_STRING In_punstrRegPath) { ULONG uli = 0; NTSTATUS stRetVal = STATUS_SUCCESS; PDEVICE_OBJECT pDevObj = NULL; if (In_pDriObj == NULL || In_punstrRegPath == NULL) { stRetVal = STATUS_SEVERITY_ERROR; goto fun_ret; } for (uli = 0; uli <= IRP_MJ_MAXIMUM_FUNCTION; uli ++) { In_pDriObj->MajorFunction[uli] = DispatchGen; } In_pDriObj->DriverUnload = UnloadDevice; stRetVal = IoCreateDevice(In_pDriObj, 0, NULL, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj); if (!NT_SUCCESS(stRetVal)) { goto fun_ret; } stRetVal = PsSetCreateProcessNotifyRoutine(ProcessMon, FALSE); fun_ret: return stRetVal; }