In Windows NT, the 80386 protected mode "protection" is more robust than Windows 95, the "gilded cage" more solid, more difficult to break. In Windows 95, at least the application I / O operation is unrestricted, Windows NT application even this permission are deprived. Less likely to enter in the NT almost real ring0 layer.
In Windows NT, there are three Device Driver:
1. "Virtual device Driver" (VDD). VDD, 16-bit applications, such as DOS and Win16 applications can access specific I / O ports (Note, not direct access, but to VDD to access).
2. "GDI Driver", display and print the necessary GDI functions.
3. "Kernel Mode Driver", the operation of specific hardware, for example, CreateFile, CloseHandle (file object), ReadFile, WriteFile, the DeviceIoControl other operations. "Kernel Mode Driver" Windows NT hardware interrupt and DMA operation Driver. SCSI port driver and NIC NDIS driver Kernel Mode Driver is a special form.
Visual studio2012 Windows8 bring new experience exceptionally different
1.Start Vs2012
2.Seen everywhere driven development template
3.Select a drive mode, there are two types of kernel mode and user mode driver
4 Create a driver, KMDF DriverMVP
We choose a kernel mode driver Below is created after the success of the interface are the driver, and the driver installation package
Press F5, select the drive compile
Insert the following code to the kernel process creation
~~~
#include "ProcMon.h"
#include "../inc/ioctls.h"
//
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
//
// 全局变量
//
PDEVICE_OBJECT g_pDeviceObject;
//
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
//
// 函数实现
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
UNICODE_STRING ProcessEventString;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
KdPrint(("[ProcMon] DriverEntry: %wZ\n", RegistryPath));
//
// 创建设备对象
//
RtlInitUnicodeString(&ntDeviceName, PROCMON_DEVICE_NAME_W);
Status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION), // DeviceExtensionSize
&ntDeviceName, // DeviceName
FILE_DEVICE_PROCMON, // DeviceType
0, // DeviceCharacteristics
TRUE, // Exclusive
&deviceObject // [OUT]
);
if(!NT_SUCCESS(Status))
{
KdPrint(("[ProcMon] IoCreateDevice Error Code = 0x%X\n", Status));
return Status;
}
//
// 设置扩展结构
//
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
//
// Set up synchronization objects, state info,, etc.
//
deviceObject->Flags |= DO_BUFFERED_IO;
//
// 创建符号链接
//
RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);
Status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if(!NT_SUCCESS(Status))
{
KdPrint(("[ProcMon] IoCreateSymbolicLink Error Code = 0x%X\n", Status));
IoDeleteDevice(deviceObject);
return Status;
}
//
// 分发IRP
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = ProcmonDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = ProcmonDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ProcmonDispatchDeviceControl;
DriverObject->DriverUnload = ProcmonUnload;
//
// 保存设备对象指针
//
g_pDeviceObject = deviceObject;
//
// 创建事件对象与应用层通信
//
RtlInitUnicodeString(&ProcessEventString, EVENT_NAME);
deviceExtension->ProcessEvent = IoCreateNotificationEvent(&ProcessEventString, &deviceExtension->hProcessHandle);
KeClearEvent(deviceExtension->ProcessEvent); // 非受信状态
//
// 设置回调例程
//
Status = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
return Status;
}
NTSTATUS
ProcmonDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] IRP_MJ_CREATE\n"));
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
NTSTATUS
ProcmonDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] IRP_MJ_CLOSE\n"));
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
NTSTATUS
ProcmonDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PDEVICE_EXTENSION deviceExtension;
ULONG inBufLength, outBufLength;
ULONG ioControlCode;
PCALLBACK_INFO pCallbackInfo;
// 获取当前设备栈
irpStack = IoGetCurrentIrpStackLocation(Irp);
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
// 提取信息
pCallbackInfo = Irp->AssociatedIrp.SystemBuffer;
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
// 处理不同的IOCTL
switch (ioControlCode)
{
case IOCTL_PROC_MON:
{
KdPrint(("[ProcMon] IOCTL: 0x%X", ioControlCode));
if (outBufLength >= sizeof(PCALLBACK_INFO))
{
pCallbackInfo->hParentId = deviceExtension->hParentId;
pCallbackInfo->hProcessId = deviceExtension->hProcessId;
pCallbackInfo->bCreate = deviceExtension->bCreate;
Irp->IoStatus.Information = outBufLength;
}
break;
}
default:
{
Status = STATUS_INVALID_PARAMETER;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] Unknown IOCTL: 0x%X (%04X,%04X)", \
ioControlCode, DEVICE_TYPE_FROM_CTL_CODE(ioControlCode), \
IoGetFunctionCodeFromCtlCode(ioControlCode)));
break;
}
}
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
VOID
ProcmonUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
//
// Free any resources
//
// 卸载回调例程
PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
//
// Delete the symbolic link
//
RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
//
// Delete the device object
//
IoDeleteDevice(DriverObject->DeviceObject);
KdPrint(("[ProcMon] Unloaded"));
}
VOID
ProcessCallback(
IN HANDLE ParentId, // 父进程ID
IN HANDLE ProcessId, // 发生事件的进程ID
IN BOOLEAN Create // 进程是创建还是终止
)
{
PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)g_pDeviceObject->DeviceExtension;
deviceExtension->hParentId = ParentId;
deviceExtension->hProcessId = ProcessId;
deviceExtension->bCreate = Create;
// 触发事件,通知应用程序
KeSetEvent(deviceExtension->ProcessEvent, 0, FALSE);
KeClearEvent(deviceExtension->ProcessEvent);
}
~~~
ring3 application layer calls to get the monitoring process creation
~~~
#include "windows.h"
#include "winioctl.h"
#include "stdio.h"
#include "../inc/ioctls.h"
#define SYMBOL_LINK "\\\\.\\ProcMon"
//#define SYMBOL_LINK "\\\\.\\slNTProcDrv"
int main()
{
CALLBACK_INFO cbkinfo, cbktemp = {0};
// 打开驱动设备对象
HANDLE hDriver = ::CreateFile(
SYMBOL_LINK,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDriver == INVALID_HANDLE_VALUE)
{
printf("打开驱动设备对象失败!\n");
return -1;
}
// 打开内核事件对象
HANDLE hProcessEvent = ::OpenEventW(SYNCHRONIZE, FALSE, EVENT_NAME);
while (::WaitForSingleObject(hProcessEvent, INFINITE))
{
DWORD dwRet;
BOOL bRet;
bRet = ::DeviceIoControl(
hDriver,
IOCTL_PROC_MON,
NULL,
0,
&cbkinfo,
sizeof(cbkinfo),
&dwRet,
NULL);
if (bRet)
{
if (cbkinfo.hParentId != cbktemp.hParentId || \
cbkinfo.hProcessId != cbktemp.hProcessId || \
cbkinfo.bCreate != cbktemp.bCreate)
{
if (cbkinfo.bCreate)
{
printf("有进程被创建,PID = %d\n", cbkinfo.hProcessId);
}
else
{
printf("有进程被终止,PID = %d\n", cbkinfo.hProcessId);
}
cbktemp = cbkinfo;
}
}
else
{
printf("\n获取进程信息失败!\n");
break;
}
}
::CloseHandle(hDriver);
return 0;
}
~~~
- 前言
- Visual Studio 11开发指南(1) Visual Studio 11简介与新特性
- Visual Studio 11开发指南(2) Visual Studio 11放弃宏处理
- Visual Studio 11开发指南(3)Visual Studio 11开发SharePoint 2011程序
- Visual Studio 11开发指南(4)Visual Studio 11编程语言发展
- Visual Studio 11开发指南(5)Visual Studio 11 IDE增强
- Visual Studio 11开发指南(6)Visual Studio 11平台改进
- Visual Studio 11开发指南(7)NET 4.5的改善
- Visual Studio 11开发指南(8)Visual C++ 11新特色
- Visual Studio 11开发指南(9)Visual C++ 新功能体验
- Visual Studio 11开发指南(10)Visual C++11 IDE 新功能体验
- Visual Studio 11开发指南(11)Visual Studio 11调试游戏
- Visual Studio 11开发指南(12)Visual Studio 11可视化多核多线程编程的行为
- Visual Studio 11开发指南(13)C++11语言新特性
- Visual Studio 11开发指南(14)C++11---C++/ CX设计
- Visual Studio 11开发指南(15)C++11单元测试
- Visual Studio 11开发指南(16)C++11更新-多线程和异步操作管理
- Visual Studio 11开发指南(17)C++11更新- Lambda表达式
- Visual Studio 11开发指南(18)C++11更新-自动矢量器使用
- Visual Studio 11开发指南(19)C++11更新-并行模式库和代理库
- 在 C++ 中使用 PPL 进行异步编程
- 基于VisualStudio11开发Windows8的Metro sample讲解(1)MessageBox
- Visual C++ 11 中新的并发功能
- 基于Windows8与Visual Studio2012开发内核隐藏注册表
- 基于VC++2012在Windows8上实现文件隐藏
- 实现诺基亚 lumia Windows phone 的手机通话记录截取
- 最短代码实现windows8下的下载器-下载安装执行一体化
- 用Visual studio2012在Windows8上开发内核驱动监视线程创建
- 用Visual studio2012在Windows8上开发内核驱动监视进程创建
- 基于Windows8与Visual Studio2012实现杀毒通用模块
- 用Visual studio2012在Windows8上开发内核中隐藏进程
- 用Visual studio11在Windows8上开发内核枚举注册表
- 用Visual studio11在Windows8上开发内核驱动隐藏注册表
- 用Visual studio11在Windows8上开发驱动实现注册表监控和过滤
- 用Visual studio11在Windows8上开发驱动实现内存填0杀进程
- 【CSDN2012年度博客之星】喜欢本博客的读者,投票赠送《visual C++2010开发权威指南》电子稿--感谢支持 ~(截至到2012年12月30日)
- 今天在清华图书馆看到我的杰作,感慨万千,而我要归零一切 !
- use Visual studio2012 developing kernel driver monitor thread creation on Windows8
- To kernel driver monitoring process developed in Windows8 create using Visual studio2012
- Under Windows8 kernel mode development NDIS application-NDIS Filter explain
- use Visual studio2012 development kernel to hidden process on Windows8