滴水逆向联盟

标题: To kernel driver monitoring process developed in Windows8 create using Visual... [打印本页]

作者: 大灰狼 时间: 2014-9-26 08:44
标题: To kernel driver monitoring process developed in Windows8 create using Visual...
In Windows NT, the 80386 protected mode "protection" is more robust than Windows 95, the "gilded cage" more solid, more difficult to break. In Windows 95, at least the application I / O operation is unrestricted, Windows NT application even this permission are deprived. Less likely to enter in the NT almost real ring0 layer.
In Windows NT, there are three Device Driver:
  1. "Virtual device Driver" (VDD). VDD, 16-bit applications, such as DOS and Win16 applications can access specific I / O ports (Note, not direct access, but to VDD to access).
  2. "GDI Driver", display and print the necessary GDI functions.
  3. "Kernel Mode Driver", the operation of specific hardware, for example, CreateFile, CloseHandle (file object), ReadFile, WriteFile, the DeviceIoControl other operations. "Kernel Mode Driver" Windows NT hardware interrupt and DMA operation Driver. SCSI port driver and NIC NDIS driver Kernel Mode Driver is a special form.

Visual studio2012 Windows8 bring new experience exceptionally different

1.Start Vs2012

2. Seen everywhere driven development template

3.Select a drive mode, there are two types of kernel mode and user mode driver

4 Create a driver, KMDF DriverMVP

We choose a kernel mode driver Below is created after the success of the interface are the driver, and the driver installation package

Press F5, select the drive compile

Insert the following code to the kernel process creation

[cpp] view plaincopy

#include "ProcMon.h"
#include "../inc/ioctls.h"
//
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
//
// 全局变量
//
PDEVICE_OBJECT g_pDeviceObject;
//
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
//
// 函数实现
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
UNICODE_STRING ProcessEventString;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
KdPrint(("[ProcMon] DriverEntry: %wZ\n", RegistryPath));
//
// 创建设备对象
//
RtlInitUnicodeString(&ntDeviceName, PROCMON_DEVICE_NAME_W);
Status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION), // DeviceExtensionSize
&ntDeviceName, // DeviceName
FILE_DEVICE_PROCMON, // DeviceType
0, // DeviceCharacteristics
TRUE, // Exclusive
&deviceObject // [OUT]
);
if(!NT_SUCCESS(Status))
{
KdPrint(("[ProcMon] IoCreateDevice Error Code = 0x%X\n", Status));
return Status;
}
//
// 设置扩展结构
//
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
//
// Set up synchronization objects, state info,, etc.
//
deviceObject->Flags |= DO_BUFFERED_IO;
//
// 创建符号链接
//
RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);
Status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if(!NT_SUCCESS(Status))
{
KdPrint(("[ProcMon] IoCreateSymbolicLink Error Code = 0x%X\n", Status));
IoDeleteDevice(deviceObject);
return Status;
}
//
// 分发IRP
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = ProcmonDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = ProcmonDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ProcmonDispatchDeviceControl;
DriverObject->DriverUnload = ProcmonUnload;
//
// 保存设备对象指针
//
g_pDeviceObject = deviceObject;
//
// 创建事件对象与应用层通信
//
RtlInitUnicodeString(&ProcessEventString, EVENT_NAME);
deviceExtension->ProcessEvent = IoCreateNotificationEvent(&ProcessEventString, &deviceExtension->hProcessHandle);
KeClearEvent(deviceExtension->ProcessEvent); // 非受信状态
//
// 设置回调例程
//
Status = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
return Status;
}
NTSTATUS
ProcmonDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] IRP_MJ_CREATE\n"));
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
NTSTATUS
ProcmonDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] IRP_MJ_CLOSE\n"));
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
NTSTATUS
ProcmonDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PDEVICE_EXTENSION deviceExtension;
ULONG inBufLength, outBufLength;
ULONG ioControlCode;
PCALLBACK_INFO pCallbackInfo;
// 获取当前设备栈
irpStack = IoGetCurrentIrpStackLocation(Irp);
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
// 提取信息
pCallbackInfo = Irp->AssociatedIrp.SystemBuffer;
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
// 处理不同的IOCTL
switch (ioControlCode)
{
case IOCTL_PROC_MON:
{
KdPrint(("[ProcMon] IOCTL: 0x%X", ioControlCode));
if (outBufLength >= sizeof(PCALLBACK_INFO))
{
pCallbackInfo->hParentId = deviceExtension->hParentId;
pCallbackInfo->hProcessId = deviceExtension->hProcessId;
pCallbackInfo->bCreate = deviceExtension->bCreate;
Irp->IoStatus.Information = outBufLength;
}
break;
}
default:
{
Status = STATUS_INVALID_PARAMETER;
Irp->IoStatus.Information = 0;
KdPrint(("[ProcMon] Unknown IOCTL: 0x%X (%04X,%04X)", \
ioControlCode, DEVICE_TYPE_FROM_CTL_CODE(ioControlCode), \
IoGetFunctionCodeFromCtlCode(ioControlCode)));
break;
}
}
Irp->IoStatus.Status = Status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
VOID
ProcmonUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
//
// Free any resources
//
// 卸载回调例程
PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
//
// Delete the symbolic link
//
RtlInitUnicodeString(&dosDeviceName, PROCMON_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
//
// Delete the device object
//
IoDeleteDevice(DriverObject->DeviceObject);
KdPrint(("[ProcMon] Unloaded"));
}
VOID
ProcessCallback(
IN HANDLE ParentId, // 父进程ID
IN HANDLE ProcessId, // 发生事件的进程ID
IN BOOLEAN Create // 进程是创建还是终止
)
{
PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)g_pDeviceObject->DeviceExtension;
deviceExtension->hParentId = ParentId;
deviceExtension->hProcessId = ProcessId;
deviceExtension->bCreate = Create;
// 触发事件，通知应用程序
KeSetEvent(deviceExtension->ProcessEvent, 0, FALSE);
KeClearEvent(deviceExtension->ProcessEvent);
}

ring3 application layer calls to get the monitoring process creation

[cpp] view plaincopy

#include "windows.h"
#include "winioctl.h"
#include "stdio.h"
#include "../inc/ioctls.h"
#define SYMBOL_LINK "\\\\.\\ProcMon"
//#define SYMBOL_LINK "\\\\.\\slNTProcDrv"
int main()
{
CALLBACK_INFO cbkinfo, cbktemp = {0};
// 打开驱动设备对象
HANDLE hDriver = ::CreateFile(
SYMBOL_LINK,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDriver == INVALID_HANDLE_VALUE)
{
printf("打开驱动设备对象失败！\n");
return -1;
}
// 打开内核事件对象
HANDLE hProcessEvent = ::OpenEventW(SYNCHRONIZE, FALSE, EVENT_NAME);
while (::WaitForSingleObject(hProcessEvent, INFINITE))
{
DWORD dwRet;
BOOL bRet;
bRet = ::DeviceIoControl(
hDriver,
IOCTL_PROC_MON,
NULL,
0,
&cbkinfo,
sizeof(cbkinfo),
&dwRet,
NULL);
if (bRet)
{
if (cbkinfo.hParentId != cbktemp.hParentId || \
cbkinfo.hProcessId != cbktemp.hProcessId || \
cbkinfo.bCreate != cbktemp.bCreate)
{
if (cbkinfo.bCreate)
{
printf("有进程被创建，PID = %d\n", cbkinfo.hProcessId);
}
else
{
printf("有进程被终止，PID = %d\n", cbkinfo.hProcessId);
}
cbktemp = cbkinfo;
}
}
else
{
printf("\n获取进程信息失败！\n");
break;
}
}
::CloseHandle(hDriver);
return 0;
}

欢迎光临滴水逆向联盟 (http://www.dtdebug.com/)