问题描述

我正在开发一个用于监视流程创建的驱动程序，我编写了一个简单的代码来做到这一点.我使用PsSetCreateProcessNotifyRoutineEx.但这是行不通的！我严格按照Microsoft帮助此链接

I'm developing a driver for monitoring process creation, I wrote a simple code to do it. I use the PsSetCreateProcessNotifyRoutineEx. But this doesn't work ! I exactly following Microsoft help on this link

#include <ntddk.h>

NTSTATUS DriverEntry(
    IN PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
    );

VOID UnloadRoutine(
    IN PDRIVER_OBJECT DriverObject
    );

VOID CreateProcessNotifyEx(
    __inout   PEPROCESS Process,
    __in      HANDLE ProcessId,
    __in_opt  PPS_CREATE_NOTIFY_INFO CreateInfo
);



VOID CreateProcessNotifyEx(
    __inout   PEPROCESS Process,
    __in      HANDLE ProcessId,
    __in_opt  PPS_CREATE_NOTIFY_INFO CreateInfo

)
{
    if (CreateInfo)
    {
        if(CreateInfo->FileOpenNameAvailable==TRUE)
        {
            DbgPrintEx(
                DPFLTR_IHVDRIVER_ID,
                DPFLTR_INFO_LEVEL,
                "PID : 0x%X (%d)  ImageName :%wZ CmdLine : %wZ \n",
                ProcessId,ProcessId,
                CreateInfo->ImageFileName,
                CreateInfo->CommandLine
                );
        }
    }

}


VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject)
{
    PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)  CreateProcessNotifyEx, TRUE);
    DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_INFO_LEVEL,"Unloaded\n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath)
{

    NTSTATUS status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)CreateProcessNotifyEx, FALSE);
  if(!NT_SUCCESS(status))
  {
     DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_ERROR_LEVEL,"Faild to PsSetCreateProcessNotifyRoutineEx .status : 0x%X \n",status);
  }
    DriverObject->DriverUnload = UnloadRoutine;
     DbgPrintEx( DPFLTR_IHVDRIVER_ID,  DPFLTR_INFO_LEVEL,"Load\n");

    return STATUS_SUCCESS;

}

此驱动器加载并正确运行，但是在运行程序(新进程)时，什么也没有发生，并且无法注册PsSetCreateProcessNotifyRoutineEx，并且出现0xC0000022错误(访问被拒绝).

This drive load and run correctly but when run a program(new process), Doesn't happen any thing and can't register PsSetCreateProcessNotifyRoutineEx and i got 0xC0000022 Error (Access Denied).

有什么主意吗?

推荐答案

总是我必须找到答案;)

Always i have to find my answer ;)

要传递此问题，只需将此值LINKER_FLAGS=/integritycheck添加到SOURCE文件中！

For passing this problem only need to add this value LINKER_FLAGS=/integritycheck to SOURCE file !

之前:

TARGETNAME=ProcView
TARGETPATH=.
TARGETTYPE=DRIVER

SOURCES=ProcView.c

现在:

TARGETNAME=ProcView
TARGETPATH=.
TARGETTYPE=DRIVER
LINKER_FLAGS=/integritycheck
SOURCES=ProcView.c

这篇关于流程监控CreateProcessNotifyRoutineEx的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！