Description: 用PsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutine来进行进程线程监控我想大家已经都非常熟练了.sinister在<<编写进程/线程监视器>>一文中已经实现得很好了.前一段时间看到网上有人在研究监视远线程的文章,比较有意思.就写代码玩一玩.这之中就出现了一些问题.比方说直接用sinister的代码的话,是不能动态卸载的,因为他在安装了进线程监视函数后没有进行清除动作,造成在动态卸载时蓝屏,BUGCHECK为0x000000ce,错误码为:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.很显然,在驱动退出后,一些进线程操作仍然在访问原来的地址,造成出错.在XP后,微软给出了一个函数PsRemoveCreateThreadNotifyRoutine用来清除线程监视函数(清除进程监视的就是PsSetCreateProcessNotifyRoutine).我一直奇怪ICESWORD在2000中是怎么做到进线程监视的.后来才发现,在运行icesword后释放出一个detport.sys文件,然后一直在系统中存在着没有卸载掉.只是把它隐藏了而已^_^.这不是个好消息,难道我为了测试一个驱动,测试一次就得重启一次吗?呵呵,肯定不是啊,所以想办法搞定它.-with PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine thread to process control, I think we had a very skilled. Sinister In "<preparation process / thread monitors>" A text has been achieved in very good. Some time ago the Internet was seen in the surveillance study of the threads from article more interesting. Write playing with a code to play. on this issue, there have been some problems. For example, the direct use of sinister code, the dynamic is not unloaded, because he installed into threads without surveillance function after removal action, resulting in dynamic unloading blue screens, BUGCHECK to 0x000000ce, error code : DRIVER_UNLOADED _WITHOUT_CANCELLING_PENDING_OPERATIONS. It is clear that following the withdrawal of the drive, some threads are sti Platform: |
Size: 7492 |
Author:龙 |
Hits:
Description: 用PsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutine来进行进程线程监控我想大家已经都非常熟练了.sinister在<<编写进程/线程监视器>>一文中已经实现得很好了.前一段时间看到网上有人在研究监视远线程的文章,比较有意思.就写代码玩一玩.这之中就出现了一些问题.比方说直接用sinister的代码的话,是不能动态卸载的,因为他在安装了进线程监视函数后没有进行清除动作,造成在动态卸载时蓝屏,BUGCHECK为0x000000ce,错误码为:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.很显然,在驱动退出后,一些进线程操作仍然在访问原来的地址,造成出错.在XP后,微软给出了一个函数PsRemoveCreateThreadNotifyRoutine用来清除线程监视函数(清除进程监视的就是PsSetCreateProcessNotifyRoutine).我一直奇怪ICESWORD在2000中是怎么做到进线程监视的.后来才发现,在运行icesword后释放出一个detport.sys文件,然后一直在系统中存在着没有卸载掉.只是把它隐藏了而已^_^.这不是个好消息,难道我为了测试一个驱动,测试一次就得重启一次吗?呵呵,肯定不是啊,所以想办法搞定它.-with PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine thread to process control, I think we had a very skilled. Sinister In "<preparation process/thread monitors>" A text has been achieved in very good. Some time ago the Internet was seen in the surveillance study of the threads from article more interesting. Write playing with a code to play. on this issue, there have been some problems. For example, the direct use of sinister code, the dynamic is not unloaded, because he installed into threads without surveillance function after removal action, resulting in dynamic unloading blue screens, BUGCHECK to 0x000000ce, error code : DRIVER_UNLOADED _WITHOUT_CANCELLING_PENDING_OPERATIONS. It is clear that following the withdrawal of the drive, some threads are sti Platform: |
Size: 7168 |
Author:龙 |
Hits:
Description: PsSetCreateProcessNotifyRoutine 确保该设置一定成功-PsSetCreateProcessNotifyRoutine ensure that the setting of a certain success Platform: |
Size: 17408 |
Author:yql |
Hits:
Description: NT/2K provides a set of APIs, known as "Process Structure Routines" [2] exported by NTOSKRNL. One of these APIs PsSetCreateProcessNotifyRoutine() offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated. The mentioned API can be employed as an easy to implement method for tracking down processes simply by implementing a NT kernel-mode driver and a user mode Win32 control application. The role of the driver is to detect process execution and notifiy the control program about these events. Platform: |
Size: 34816 |
Author:sirpoot |
Hits:
Search - PsSetCreateProcessNotifyRoutine