堆栈内存溢出
  简体   繁体   English

进程监控CreateProcessNotifyRoutineEx

[英]Process monitoring CreateProcessNotifyRoutineEx

 原文  2013-12-10 18:55:49       process/ driver/ monitoring

问题描述

I'm developing a driver for monitoring process creation, I wrote a simple code to do it. 我正在开发一个用于监视进程创建的驱动程序,我编写了一个简单的代码来完成它。 I use the PsSetCreateProcessNotifyRoutineEx . 我使用PsSetCreateProcessNotifyRoutineEx But this doesn't work ! 但这不起作用! I exactly following Microsoft help on this link 我正在关注此链接上的 Microsoft帮助 

#include <ntddk.h>

NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,  
    IN PUNICODE_STRING RegistryPath
    );

VOID UnloadRoutine(
    IN PDRIVER_OBJECT DriverObject
    );

VOID CreateProcessNotifyEx(
    __inout   PEPROCESS Process,
    __in      HANDLE ProcessId,
    __in_opt  PPS_CREATE_NOTIFY_INFO CreateInfo
);



VOID CreateProcessNotifyEx(
    __inout   PEPROCESS Process,
    __in      HANDLE ProcessId,
    __in_opt  PPS_CREATE_NOTIFY_INFO CreateInfo

)
{
    if (CreateInfo)
    {
        if(CreateInfo->FileOpenNameAvailable==TRUE)
        {
            DbgPrintEx( 
                DPFLTR_IHVDRIVER_ID,  
                DPFLTR_INFO_LEVEL,
                "PID : 0x%X (%d)  ImageName :%wZ CmdLine : %wZ \n",
                ProcessId,ProcessId,
                CreateInfo->ImageFileName,
                CreateInfo->CommandLine
                );
        }
    }

}


VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject)
{
    PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)  CreateProcessNotifyEx, TRUE);
    DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_INFO_LEVEL,"Unloaded\n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath)
{

    NTSTATUS status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)CreateProcessNotifyEx, FALSE);
  if(!NT_SUCCESS(status))
  {
     DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_ERROR_LEVEL,"Faild to PsSetCreateProcessNotifyRoutineEx .status : 0x%X \n",status);
  }
    DriverObject->DriverUnload = UnloadRoutine;
     DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_INFO_LEVEL,"Load\n");

    return STATUS_SUCCESS; 

}

This drive load and run correctly but when run a program(new process), Doesn't happen any thing and can't register PsSetCreateProcessNotifyRoutineEx and i got 0xC0000022 Error (Access Denied). 这个驱动器加载并正确运行但是当运行程序(新进程)时,没有发生任何事情并且无法注册PsSetCreateProcessNotifyRoutineEx并且我得到0xC0000022错误(访问被拒绝)。 在此输入图像描述

Any idea ? 任何的想法 ?

1 个解决方案

解决方案1
 6 已采纳  2013-12-10 20:35:08

Always i have to find my answer ;) 总是我必须找到答案;)

For passing this problem only need to add this value LINKER_FLAGS=/integritycheck to SOURCE file ! 要传递此问题,只需将此值LINKER_FLAGS=/integritycheck到SOURCE文件中!

Before : 之前: 

TARGETNAME=ProcView
TARGETPATH=.
TARGETTYPE=DRIVER

SOURCES=ProcView.c

Now : 现在: 

TARGETNAME=ProcView
TARGETPATH=.
TARGETTYPE=DRIVER
LINKER_FLAGS=/integritycheck
SOURCES=ProcView.c

在此输入图像描述

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 过程监控 - Process Monitoring 监控远程进程 - Monitoring a remote process 在Windows中监控进程 - Monitoring a process in Windows Erlang进程监控自身 - Erlang process monitoring itself 监控所有流程的执行情况 - Monitoring the execution of all process 流程操作(监控) - Process Operations (Monitoring) API 对特定进程的监控 - API Monitoring on a specific process 使用Python自动进行流程监控/管理 - Automatic process monitoring/management with Python Linux进程性能监视代理 - Linux process performance monitoring agent C ++流程监控(GetExitCodeProcess) - C++ Process Monitoring (GetExitCodeProcess)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM