int main(void) { pid_t eu, pai; int i; GetPIDs(&eu, &pai); printf("=============== RAIZ =============\n"); printf("Pid Filho = GetPIDs[%d] e getpid[%d] \n",eu, getpid()); printf("Pid Pai = GetPIDs[%d] e getppid[%d] \n",pai, getppid()); printf("==================================\n"); for (i = 0; i < NIVEIS_FORK; i++) { int ehPai = fork(); if (ehPai) { break; } GetPIDs(&eu, &pai); printf("=============== NIVEL[%d] =============\n", i+1); printf("Pid Filho = GetPIDs[%d] e getpid[%d] \n",eu, getpid()); printf("Pid Pai = GetPIDs[%d] e getppid[%d] \n",pai, getppid()); printf("=======================================\n"); } return 0; }
pid_t CSysinfo::FindThreadProcess (DWORD find_tid) { ExtArray<pid_t> pids(256); ExtArray<DWORD> tids; int num_pids; int num_tids; num_pids = GetPIDs (pids); for (int s=0; s<num_pids; s++) { num_tids = GetTIDs (pids[s], tids); for (int l=0; l<num_tids; l++) { if (find_tid == tids[l]) return pids[s]; } } return 0xffffffff; }
NTSTATUS DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP IRP) { KdPrint(("==>DriverDeviceControl\n")); NTSTATUS ntStatus = STATUS_UNSUCCESSFUL; ULONG tmpLen=0; PIO_STACK_LOCATION pIoStackIrp = IoGetCurrentIrpStackLocation(IRP); switch (pIoStackIrp->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_SET_PROTECT_PID: KdPrint(("IOCTL_SET_PROTECT_PID\n")); { unsigned char pUnPack[256]; int unPackLength; unPackLength=DownloadUnPack((unsigned char *)IRP->AssociatedIrp.SystemBuffer,pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength,pUnPack); if (unPackLength>0) { PPID_INFO pInputBuffer = (PPID_INFO)pUnPack; int iStringLength = unPackLength; if(iStringLength != sizeof(PID_INFO)) // The PID should contain exactly 1 member. break; __int64 elapsedTime = __rdtsc() - pInputBuffer->currentTime; KdPrint(("IOCTL_SET_PROTECT_PID elapsed time: %I64d.\n", elapsedTime)); if((elapsedTime > COMMUNICATE_TIME_LIMIT)||(elapsedTime <=COMMUNICATE_TIME_DOWN)) { KdPrint(("IOCTL_SET_PROTECT_PID exceeds time limit.\n")); } else { // 加入进程 ID AddProtectPID(pInputBuffer->PID[0]); } ntStatus = STATUS_SUCCESS; } } break; case IOCTL_GET_PROTECT_PIDS: KdPrint(("IOCTL_GET_PROTECT_PIDS\n")); if (IRP->MdlAddress) { PPID_INFO pUserBuffer = (PPID_INFO)MmGetSystemAddressForMdlSafe(IRP->MdlAddress, NormalPagePriority); ULONG OutputLength = pIoStackIrp->Parameters.DeviceIoControl.OutputBufferLength; ULONG PIDLength = OutputLength - sizeof(PID_INFO) + sizeof(UINT32);//1025*sizeof(unsigned int),last one for another // add by bh PPID_INFO tmpBuf=(PPID_INFO)ExAllocatePoolWithTag(PagedPool,OutputLength-sizeof(UINT32),'bnak'); if(!tmpBuf) return ntStatus; ///judge safe KdPrint(("entry check hook safe!\n")); if(checkHookSafe()) { KdPrint((" safe!\n")); tmpBuf->count = GetPIDs(tmpBuf->PID, PIDLength / sizeof(UINT32)); tmpBuf->currentTime = __rdtsc(); ULONG bufLength=sizeof(PID_INFO)+tmpBuf->count*sizeof(UINT32); tmpLen = UploadPack((PUCHAR)tmpBuf , bufLength , (PUCHAR)pUserBuffer); } else { KdPrint( (" unfalse\n")); RtlZeroMemory(tmpBuf,OutputLength-sizeof(UINT32)); tmpLen=0; } /// //pUserBuffer->count = GetPIDs(pUserBuffer->PID, PIDLength / sizeof(UINT32)); //pUserBuffer->currentTime = __rdtsc(); ExFreePoolWithTag(tmpBuf,'bnak'); ///// end ntStatus = STATUS_SUCCESS; } break; case IOCTL_SET_SECU_PATHS: KdPrint(("IOCTL_SET_SECU_PATHS\n")); { /////////////////add by bh if(!g_tmpB) setStartTime(); ////////////////end /*PUCHAR pInputBuffer = (PUCHAR)IRP->AssociatedIrp.SystemBuffer; int iStringLength = pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength; ClearSecurePaths(); ULONG index = 0; while(index < iStringLength) { ULONG length = *(PULONG)((ULONG)pInputBuffer + index); index += 4; if(index + length >= iStringLength) break; AddSecurePath((WCHAR*)((ULONG)pInputBuffer + index), length); index += length * 2 + 2; }*/ ntStatus = STATUS_SUCCESS; } break; case IOCTL_SET_SECU_MD5: KdPrint(("IOCTL_SET_SECU_MD5\n")); { PUCHAR pInputBuffer; int iStringLength = pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength; unsigned char * pUnPack=(UCHAR *)ExAllocatePoolWithTag(PagedPool,iStringLength,'knab'); int unPackLength; unPackLength=DownloadUnPack((unsigned char *)IRP->AssociatedIrp.SystemBuffer,pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength,pUnPack); //add by bh //iStringLength=*((ULONG*)pUnPack ); RtlCopyBytes((PVOID)&iStringLength,(PVOID)pUnPack,sizeof(ULONG) ); pInputBuffer=pUnPack+sizeof(ULONG); //if(!g_globalTime) //g_globalTime=*((__int64 *)(pInputBuffer+iStringLength) ); RtlCopyBytes((PVOID)&g_globalTime,(PVOID)(pInputBuffer+iStringLength),8 ); __int64 elapseTime=__rdtsc()-g_globalTime; if( (elapseTime<COMMUNICATE_TIME_LIMIT) && (elapseTime>=COMMUNICATE_TIME_DOWN) ) { KdPrint( ("entry elapse check! ") ); if (unPackLength>0) {KdPrint( ("entry length check! ") ); ClearHash(); for(int i = 0; i <= iStringLength - HASH_SIZE; i += HASH_SIZE) AddSecureHash(pInputBuffer + i); ntStatus = STATUS_SUCCESS; } } ExFreePoolWithTag(pUnPack,'knab'); // } break; case IOCTL_SET_UP_UNLOAD: KdPrint(("IOCTL_SET_UP_UNLOAD\n")); DeviceObject->DriverObject->DriverUnload = DriverUnload; ntStatus = STATUS_SUCCESS; break; } IRP->IoStatus.Status = 0; IRP->IoStatus.Information = tmpLen ; IoCompleteRequest(IRP, IO_NO_INCREMENT); KdPrint(("<==DriverDeviceControl\n")); return ntStatus; }