DWORD CProcessModule::GetProcessID(char *exe_name)
{
WriteLog("GetProcessID...");
EnumProcess();
WriteLog("GetProcessID m_dwProcessCount=%d...", m_dwProcessCount);
for(int i =0; i<(int)m_dwProcessCount; i++)
{
int mod_count =EnumProcessModules(m_dwProcessIDs[i]);
char mod_base_name[100];
//WriteLog("process num=%s", i);
for(int j =0; j<mod_count; j++)
{
GetModuleBaseNameA(j, mod_base_name);
if(strcmpi(mod_base_name, exe_name) ==0)
{
WriteLog("found mod_base_name %s", mod_base_name);
EndEnumProcessModules();
return m_dwProcessIDs[i];
}
}
//WriteLog("\r\n");
}
EndEnumProcessModules();
return NULL;
}
BOOL CProcessManager::SendIoControlCode(ULONG_PTR ulControlCode)
{
if (ulControlCode==FORCE_ENUM_PROCESS)
{
EnumProcess();
if (m_Vector.empty())
{
return FALSE;
}
g_ProcessCount = m_Vector.size();
if(g_ProcessCount!=0)
{
for(int i=0;i<g_ProcessCount;i++)
{
m_ControlImageList.Remove(0);
}
}
for (vector <PROCESS_INFO>::iterator Iter = m_Vector.begin( );
Iter != m_Vector.end( );
Iter++ )
{
HICON hIcon = GetProcessIcon((*Iter).wzProcessFileName);
AddItemToControlList(*Iter,m_ControlImageList.Add(hIcon));
}
}
else if(ulControlCode==KILL_PROCESS)
{
KillProcess();
}
else if(ulControlCode==KILL_PROCESS_FORCED)
{
KillProcessByForce();
}
else if(ulControlCode==KILL_PROCESS_AND_DELETE_FILE)
{
KillProcessAndDeleteFile();
}
return TRUE;
}
//初始化进程list
void InitProcessListView(HWND hwndDlg)
{
LV_COLUMN lv;
HWND hListProcess;
//初始化
memset(&lv, 0, sizeof(LV_COLUMN));
//获取IDC_LIST_PROCESS 句柄
hListProcess = GetDlgItem(hwndDlg, IDC_LIST_PROCESS);
//设置整行选中
SendMessage(hListProcess, LVM_SETEXTENDEDLISTVIEWSTYLE, LVS_EX_FULLROWSELECT, LVS_EX_FULLROWSELECT);
//第一行
lv.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
lv.pszText = TEXT("进程");
lv.cx = 172;
lv.iSubItem = 0;
SendMessage(hListProcess, LVM_INSERTCOLUMN, lv.iSubItem, (DWORD)&lv);
lv.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
lv.pszText = TEXT("PID");
lv.cx = 80;
lv.iSubItem = 1;
//ListView_SetItem(hListProcess, &lv);
SendMessage(hListProcess, LVM_INSERTCOLUMN, lv.iSubItem, (DWORD)&lv);
lv.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
lv.pszText = TEXT("镜像基址");
lv.cx = 80;
lv.iSubItem = 2;
SendMessage(hListProcess, LVM_INSERTCOLUMN, lv.iSubItem, (DWORD)&lv);
lv.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
lv.pszText = TEXT("镜像大小");
lv.cx = 80;
lv.iSubItem = 3;
SendMessage(hListProcess, LVM_INSERTCOLUMN, lv.iSubItem, (DWORD)&lv);
EnumProcess(hListProcess);
}
NTSTATUS SSDTDeviceIoCtl( PDEVICE_OBJECT pDeviceObject, PIRP Irp )
{
// ULONG pbuf;
PLOG_BUF old;
NTSTATUS s;
PIO_STACK_LOCATION IrpStack;
PVOID InputBuffer;
PVOID OutputBuffer;
ULONG InputBufferLength;
ULONG OutputBufferLength;
ULONG IoControlCode;
s = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation( Irp );
InputBuffer = IrpStack->Parameters.DeviceIoControl.Type3InputBuffer;
InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputBuffer = Irp->UserBuffer;
OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
///////////////////////////////////////////////
//这里处理分发例程
switch( IoControlCode )
{
case IOCTL_REG_PROTECTION://开启注册表保护
CmRegisterCallback(RegistryCallback,
NULL,
&Cookie
);
Prot=TRUE;
break;
case IOCTL_STOP_PROTECTION://停止注册表保护
CmUnRegisterCallback(Cookie);
Prot=FALSE;
break;
case IOCTL_SAVE_EVENT://把事件传到驱动
{
EVENT_INFORMATION EvntInfo;
__try
{
ProbeForRead( InputBuffer, sizeof(EvntInfo), sizeof( ULONG ) );
memcpy(&EvntInfo,InputBuffer,8);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelSetEvent,0,*ExEventObjectType,UserMode,&EventKernelSet,NULL)))
{
EventKernelSet=NULL;
}
if (!NT_SUCCESS(ObReferenceObjectByHandle(EvntInfo.hKernelWaitEvent,0,*ExEventObjectType,UserMode,&EventKernelWait,NULL)))
{
EventKernelWait=NULL;
}
DbgPrint("[Kernel_Driver] EventKernelSet = 0x%X, EventKernelWait=0x%X.\n",EventKernelSet,EventKernelWait);
s = STATUS_SUCCESS;
break;
}
case IOCTL_REGISTRY_INFO://获得注册表信息
{
DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO.\n");
__try
{
REGISTRY_INFORMATION RegInfo={0};
memcpy(RegInfo.ProcessName,aProcessName,256);
memcpy(RegInfo.KeyPath,astr.Buffer,256);
DbgPrint("%s %s.\n",RegInfo.ProcessName,RegInfo.KeyPath);
ProbeForWrite( OutputBuffer, sizeof(RegInfo), sizeof( ULONG ) );
RtlCopyMemory(OutputBuffer,&RegInfo,sizeof(RegInfo)); // it's strange.
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("[Kernel_Driver] IOCTL_GET_CREATE_PROC_INFO raised exception.\n");
;
}
break;
}
case IOCTL_ALLOW_MODIFY://允许修改
{
__try
{
ProbeForRead( InputBuffer, sizeof(CreateAllowed), sizeof( ULONG ) );
memcpy(&CreateAllowed,InputBuffer,sizeof(CreateAllowed));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
//*************************************************
case IOCTL_GETSSDT: //得到SSDT
__try
{
ProbeForWrite( OutputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) );
RtlCopyMemory( OutputBuffer, KeServiceDescriptorTable, sizeof( MYSSDT ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: GetSSDT Completeled!" );
break;
case IOCTL_KILL:
{
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
memcpy(&processID,InputBuffer,sizeof(processID));
s=PsLookupProcessByProcessId(processID,&eProcess);
if(NT_SUCCESS(s))
{
ObDereferenceObject(eProcess);
}
s=TerminateProcess(eProcess);
if(NT_SUCCESS(s))
{
DbgPrint("TerminateProcess Ok!\n");
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
// status = STATUS_SUCCESS;
break;
}
case IOCTL_ENUMTCP://枚举TCP连接
{
PVOID pOut=NULL;
ULONG OutLen=0;
if(OutputBufferLength<sizeof(CONNINFO102))
{
KdPrint(("输出缓冲区长度无效\n"));
s=STATUS_BUFFER_OVERFLOW;
break;
}
pOut=EnumPortInformation(&OutLen,TCPPORT);
if(!pOut)
{
KdPrint(("获取TCP端口信息失败!\n"));
s=STATUS_UNSUCCESSFUL;
break;
}
if(OutputBufferLength<OutLen)
{
KdPrint(("输出缓冲区太小,应为%ld\n",OutLen));
ExFreePool(pOut);
s=STATUS_BUFFER_OVERFLOW;
break;
}
RtlCopyMemory(OutputBuffer,pOut,OutLen);
ExFreePool(pOut);
Irp->IoStatus.Information = OutLen;
break;
}
case IOCTL_ENUMUDP://枚举UDP连接
{
PVOID pOut=NULL;
ULONG OutLen=0;
if(OutputBufferLength<sizeof(UDPCONNINFO))
{
KdPrint(("输出缓冲区长度无效\n"));
s=STATUS_BUFFER_OVERFLOW;
break;
}
pOut=EnumPortInformation(&OutLen,UDPPORT);
if(!pOut)
{
KdPrint(("获取UDP端口信息失败!\n"));
s=STATUS_UNSUCCESSFUL;
break;
}
if(OutputBufferLength<OutLen)
{
KdPrint(("输出缓冲区太小,应为%ld\n",OutLen));
ExFreePool(pOut);
s=STATUS_BUFFER_OVERFLOW;
break;
}
RtlCopyMemory(OutputBuffer,pOut,OutLen);
ExFreePool(pOut);
Irp->IoStatus.Information = OutLen;
break;
}
case IOCTL_QSIADDR:
EnumProcess();
__try {
ProbeForWrite( OutputBuffer,
OutputBufferLength,
sizeof( UCHAR ));
} __except( EXCEPTION_EXECUTE_HANDLER ) {
Irp->IoStatus.Information = STATUS_INVALID_PARAMETER;
return FALSE;
}
if(MAX_MESSAGE > OutputBufferLength)
{
return FALSE;
}
else
if(Log->Length != 0 || Log->Next != NULL)
{
//pReturnLog = Log;
MUTEX_P(LogMutex);
// NewLog();
old=OldestLog();
if(old!=Log)
{
MUTEX_V(LogMutex);
DbgPrint("Old log\n");
}
memcpy(OutputBuffer,old->Message,old->Length);
Irp->IoStatus.Information = old->Length;
if(old!=Log)
{
ExFreePool(old);
}
else
{
DbgPrint("Current log\n");
Log->Length=0;
MUTEX_V(LogMutex);
}
}
else
{
// MUTEX_V(LogMutex);
Irp->IoStatus.Information = 0;
}
DbgPrint("SSDT: Set QuerySystemInformation Address Completed!");
break;
case IOCTL_SETSSDT: //设置 SSDT
__try
{
ProbeForRead( InputBuffer, sizeof( MYSSDT ), sizeof( ULONG ) );
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
RtlCopyMemory( KeServiceDescriptorTable, InputBuffer, sizeof( MYSSDT ) );
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
DbgPrint( "SSDT: SetSSDT Completeled!" );
break;
//*************************************************
case IOCTL_GETHOOK: //查询SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForWrite( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//将结果传到用户输出位置
*((PULONG)OutputBuffer) = *( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer );
DbgPrint( "SSDT: GetHookedAddress Completeled!" );
break;
//*************************************************
case IOCTL_SETHOOK: //设置SSDT指定地址
__try
{
ProbeForRead( InputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
ProbeForRead( OutputBuffer, sizeof( ULONG ), sizeof( ULONG ) );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
s = GetExceptionCode();
break;
}
//测试传入的参数是否正确
if( KeServiceDescriptorTable->ulNumberOfServices <= *(PULONG)InputBuffer )
{
s = STATUS_INVALID_PARAMETER;
break;
}
//在此将输出缓冲区当作输入缓冲区来用,输入指定SSDT HOOK的地址值
//去掉内存保护
__asm
{
cli ;//关中断
mov eax, cr0
and eax, ~0x10000
mov cr0, eax
}
*( (PULONG)(KeServiceDescriptorTable->pvSSDTBase) + *(PULONG)InputBuffer ) = *((PULONG)OutputBuffer);
//开中断,把内存保护加上
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti ;//开中断
}
DbgPrint( "SSDT: SetHookedAddress Completeled!" );
break;
//*************************************************
default:
s = STATUS_INVALID_DEVICE_REQUEST;
DbgPrint( "SSDT: Invalid Parameter Completeled!" );
break;
}
///////////////////////////////////////////////
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return s;
}
