首页 - 互联网

4.3 Windows驱动开发：监控进程与线程对象操作

作者: 五速梦信息网
时间: 2026年04月04日 13:53

ObRegisterCallbacksOB_CALLBACK_REGISTRATIONAltitude

当有进程或线程对象创建、删除、复制或重命名时，内核会调用注册的回调函数。回调函数可以访问被监控对象的信息，如句柄、进程ID等，并可以采取相应的操作，如打印日志、记录信息等。

OB_CALLBACK_REGISTRATIONOB_CALLBACK_REGISTRATION

OB_CALLBACK_REGISTRATION结构体的定义：

typedef struct _OB_CALLBACK_REGISTRATION {

    PVOID RegistrationContext;

    POB_OPERATION_REGISTRATION OperationRegistration;

} OB_CALLBACK_REGISTRATION, *POB_CALLBACK_REGISTRATION;

RegistrationContextOperationRegistrationOB_OPERATION_REGISTRATION

OB_OPERATION_REGISTRATION结构体的定义如下：

typedef struct _OB_OPERATION_REGISTRATION {

    POBJECT_TYPE ObjectType;

    OB_OPERATION Operations;

    POB_PRE_OPERATION_CALLBACK PreOperation;

    POB_POST_OPERATION_CALLBACK PostOperation;

} OB_OPERATION_REGISTRATION, *POB_OPERATION_REGISTRATION;

ObjectTypeOBJECT_TYPE

Operations是一个枚举类型，表示要监控的操作类型，可以是如下之一：

OB_OPERATION_HANDLE_CREATE：创建对象句柄
OB_OPERATION_HANDLE_DUPLICATE：复制对象句柄
OB_OPERATION_HANDLE_CLOSE：关闭对象句柄
OB_OPERATION_HANDLE_WAIT：等待对象句柄
OB_OPERATION_HANDLE_SET_INFORMATION：设置对象句柄信息
OB_OPERATION_HANDLE_QUERY_INFORMATION：查询对象句柄信息
OB_OPERATION_HANDLE_OPERATION：其他操作

PreOperation和PostOperation分别是指向回调函数的指针，用于指定在进行指定操作之前和之后要执行的回调函数。这两个回调函数的参数和返回值等信息可以参考Microsoft官方文档。

MyObjectCallBack()

BaseBase.ObjectTypePsProcessTypeBase.OperationsOB_OPERATION_HANDLE_CREATEBase.PreOperationMyObjectCallBackObRegisterCallbacks()

#include <ntddk.h>

#include <ntstrsafe.h>
PVOID Globle_Object_Handle;
OB_PREOP_CALLBACK_STATUS MyObjectCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)

{

    DbgPrint("执行了我们的回调函数...");

    return STATUS_SUCCESS;

}
VOID UnDriver(PDRIVER_OBJECT driver)

{

    ObUnRegisterCallbacks(Globle_Object_Handle);

    DbgPrint("回调卸载完成...");

}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)

{

    OB_OPERATION_REGISTRATION Base;                          // 回调函数结构体(你所填的结构都在这里)

    OB_CALLBACK_REGISTRATION CallbackReg;
CallbackReg.RegistrationContext = NULL;                  // 注册上下文(你回调函数返回参数)

    CallbackReg.Version = OB_FLT_REGISTRATION_VERSION;       // 注册回调版本

    CallbackReg.OperationRegistration = &Base;

    CallbackReg.OperationRegistrationCount = 1;               // 操作计数(下钩数量)

    RtlUnicodeStringInit(&CallbackReg.Altitude, L"600000");   // 长度
Base.ObjectType = PsProcessType;                          // 进程操作类型.此处为进程操作

    Base.Operations = OB_OPERATION_HANDLE_CREATE;             // 操作句柄创建

    Base.PreOperation = MyObjectCallBack;                     // 你自己的回调函数

    Base.PostOperation = NULL;
// 注册回调

    if (ObRegisterCallbacks(&CallbackReg, &Globle_Object_Handle))

  {

        DbgPrint("回调注册成功...");

  }
Driver->DriverUnload = UnDriver;

    return STATUS_SUCCESS;

}

XuetrObject

4.3.1 实现监控进程打开与关闭

MyObjectCallBackwin32calc.exeGetProcessImageNameByProcessIDPsGetProcessImageFileName

strstr(ProcName, "win32calc.exe")Operation->Parameters->CreateHandleInformation.DesiredAccess = ~THREAD_TERMINATETERMINATE_PROCESSTERMINATE_THREAD

#include <ntddk.h>

#include <wdm.h>

#include <ntstrsafe.h>

#define PROCESS_TERMINATE 1
PVOID Globle_Object_Handle;

NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
char* GetProcessImageNameByProcessID(ULONG ulProcessID)

{

    NTSTATUS  Status;

    PEPROCESS  EProcess = NULL;

    Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);

    if (!NT_SUCCESS(Status))

        return FALSE;

    ObDereferenceObject(EProcess);

    return (char*)PsGetProcessImageFileName(EProcess);

}
OB_PREOP_CALLBACK_STATUS MyObjectCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION Operation)

{

    char ProcName[256] = { 0 };

    HANDLE pid = PsGetProcessId((PEPROCESS)Operation->Object);           // 取出当前调用函数的PID

    strcpy(ProcName, GetProcessImageNameByProcessID((ULONG)pid));        // 通过PID取出进程名,然后直接拷贝内存

    //DbgPrint("当前进程的名字是：%s", ProcName);
if (strstr(ProcName, "win32calc.exe"))

    {

        if (Operation->Operation == OB_OPERATION_HANDLE_CREATE)

        {

            if ((Operation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)

            {

                DbgPrint("你想结束进程?");
// 如果是计算器，则去掉它的结束权限，在Win10上无效

                Operation->Parameters->CreateHandleInformation.DesiredAccess = ~THREAD_TERMINATE;

                return STATUS_UNSUCCESSFUL;

            }

        }

    }

    return STATUS_SUCCESS;

}

VOID UnDriver(PDRIVER_OBJECT driver)

{

    ObUnRegisterCallbacks(Globle_Object_Handle);

    DbgPrint("回调卸载完成...");

}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)

{

    NTSTATUS obst = 0;

    OB_CALLBACK_REGISTRATION obReg;

    OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));

    obReg.Version = ObGetFilterVersion();

    obReg.OperationRegistrationCount = 1;

    obReg.RegistrationContext = NULL;

    RtlInitUnicodeString(&obReg.Altitude, L"321125");

    obReg.OperationRegistration = &opReg;
memset(&opReg, 0, sizeof(opReg));

    opReg.ObjectType = PsProcessType;

    opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

    opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&MyObjectCallBack;

    obst = ObRegisterCallbacks(&obReg, &Globle_Object_Handle);
Driver->DriverUnload = UnDriver;

    return STATUS_SUCCESS;

}

首先运行计算器，然后启动驱动保护，此时我们在任务管理器中就无法结束计算器进程了。

4.3.2 实现监控进程中的模块加载

PsSetLoadImageNotifyRoutine

PsSetLoadImageNotifyRoutine 函数用来设置一个映像加载通告例程。该函数需要传入一个回调函数的指针，该回调函数会在系统中有驱动程序或 DLL 被加载时被调用。

该函数函数的原型为：

NTKERNELAPI

NTSTATUS

PsSetLoadImageNotifyRoutine(

  PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine

);

其中，NotifyRoutine 参数是一个指向映像加载通告例程的函数指针。该函数将在系统中有驱动程序或 DLL 被加载时被调用。

当一个映像被加载时，Windows 内核会检查是否已注册了映像加载通告例程。如果已注册，则内核会调用该例程，将被加载的模块的信息作为参数传递给该例程。通常，该例程会记录或处理这些信息。

需要注意的是，映像加载通告例程应该尽可能地简短，不要执行复杂的操作，以避免影响系统性能。同时，该例程应该是线程安全的，以免发生竞态条件或死锁。

PLOAD_IMAGE_NOTIFY_ROUTINE

VOID MyLoadImageNotifyRoutine(

  PUNICODE_STRING FullImageName,

  HANDLE ProcessId,

  PIMAGE_INFO ImageInfo

);

FullImageNameProcessIdImageInfo

MyLoadImageNotifyRoutineDbgView

#include <ntddk.h>

#include <ntimage.h>
// 用与获取特定基地址的模块入口

PVOID GetDriverEntryByImageBase(PVOID ImageBase)

{

    PIMAGE_DOS_HEADER pDOSHeader;

    PIMAGE_NT_HEADERS64 pNTHeader;

    PVOID pEntryPoint;

    pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;

    pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);

    pEntryPoint = (PVOID)((ULONG64)ImageBase + pNTHeader->OptionalHeader.AddressOfEntryPoint);

    return pEntryPoint;

}
VOID MyLoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE ProcessId,PIMAGE_INFO ImageInfo)

{

    PVOID pDrvEntry;
// MmIsAddress 验证地址可用性

    if (FullImageName != NULL && MmIsAddressValid(FullImageName))

    {

        if (ProcessId == 0)

        {

            pDrvEntry = GetDriverEntryByImageBase(ImageInfo->ImageBase);

            DbgPrint("模块名称:%wZ --> 装载基址:%p --> 镜像长度: %d", FullImageName, pDrvEntry,ImageInfo->ImageSize);

        }

    }

}
VOID UnDriver(PDRIVER_OBJECT driver)

{

    PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)MyLoadImageNotifyRoutine);

    DbgPrint("驱动卸载完成...");

}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)

{

    PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)MyLoadImageNotifyRoutine);

    DbgPrint("驱动加载完成...");

    Driver->DriverUnload = UnDriver;

    return STATUS_SUCCESS;

}

输出效果图如下所示：

MyLoadImageNotifyRoutineModuleStyle

VOID UnicodeToChar(PUNICODE_STRING dst, char *src)

{

    ANSI_STRING string;

    RtlUnicodeStringToAnsiString(&string, dst, TRUE);

    strcpy(src, string.Buffer);

    RtlFreeAnsiString(&string);

}
VOID MyLoadImageNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE ModuleStyle,PIMAGE_INFO ImageInfo)

{

    PVOID pDrvEntry;

    char szFullImageName[256] = { 0 };
// MmIsAddress 验证地址可用性

    if (FullImageName != NULL && MmIsAddressValid(FullImageName))

    {

    // ModuleStyle为零表示加载sys非零表示加载DLL

        if (ModuleStyle == 0)

        {

            pDrvEntry = GetDriverEntryByImageBase(ImageInfo->ImageBase);

            UnicodeToChar(FullImageName, szFullImageName);

            if (strstr(_strlwr(szFullImageName), "hook.sys"))

            {

                DbgPrint("准备拦截SYS内核模块：%s", _strlwr(szFullImageName));

            }

        }

    }

}

输出效果图如下所示：

MyLoadImageNotifyRoutinehook.sys

Mov eax,c0000022h;ret

ImageInfo->ImageBasehook.sysOptionalHeaderret

#include <ntddk.h>

#include <intrin.h>

#include <ntimage.h>
PVOID GetDriverEntryByImageBase(PVOID ImageBase)

{

    PIMAGE_DOS_HEADER pDOSHeader;

    PIMAGE_NT_HEADERS64 pNTHeader;

    PVOID pEntryPoint;

    pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;

    pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);

    pEntryPoint = (PVOID)((ULONG64)ImageBase + pNTHeader->OptionalHeader.AddressOfEntryPoint);

    return pEntryPoint;

}
VOID UnicodeToChar(PUNICODE_STRING dst, char *src)

{

    ANSI_STRING string;

    RtlUnicodeStringToAnsiString(&string, dst, TRUE);

    strcpy(src, string.Buffer);

    RtlFreeAnsiString(&string);

}
// 使用开关写保护需要在C/C++优化中启用内部函数
// 关闭写保护

KIRQL WPOFFx64()

{

    KIRQL irql = KeRaiseIrqlToDpcLevel();

    UINT64 cr0 = __readcr0();

    cr0 &= 0xfffffffffffeffff;

    _disable();

    __writecr0(cr0);

    return irql;

}
// 开启写保护

void WPONx64(KIRQL irql)

{

    UINT64 cr0 = __readcr0();

    cr0 |= 0x10000;

    _enable();

    __writecr0(cr0);

    KeLowerIrql(irql);

}
BOOLEAN DenyLoadDriver(PVOID DriverEntry)

{

    UCHAR fuck[] = "\xB8\x22\x00\x00\xC0\xC3";

    KIRQL kirql;

    /* 在模块开头写入以下汇编指令

    Mov eax,c0000022h

    ret

    */
if (DriverEntry == NULL)

  {

    return FALSE;

  }
kirql = WPOFFx64();

    memcpy(DriverEntry, fuck,sizeof(fuck) / sizeof(fuck[0]));

    WPONx64(kirql);

    return TRUE;

}
VOID MyLoadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ModuleStyle, PIMAGE_INFO ImageInfo)

{

    PVOID pDrvEntry;

    char szFullImageName[256] = { 0 };
// MmIsAddress 验证地址可用性

    if (FullImageName != NULL && MmIsAddressValid(FullImageName))

    {

    // ModuleStyle为零表示加载sys非零表示加载DLL

        if (ModuleStyle == 0)

        {

            pDrvEntry = GetDriverEntryByImageBase(ImageInfo->ImageBase);

            UnicodeToChar(FullImageName, szFullImageName);

            if (strstr(_strlwr(szFullImageName), "hook.sys"))

            {

                DbgPrint("拦截SYS内核模块：%s", szFullImageName);

                DenyLoadDriver(pDrvEntry);

            }

        }

    }

}
VOID UnDriver(PDRIVER_OBJECT driver)

{

    PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)MyLoadImageNotifyRoutine);

    DbgPrint("驱动卸载完成...");

}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)

{

    PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)MyLoadImageNotifyRoutine);

    DbgPrint("驱动加载完成...");

    Driver->DriverUnload = UnDriver;

    return STATUS_SUCCESS;

}

ModuleStyle

char *UnicodeToLongString(PUNICODE_STRING uString)

{

    ANSI_STRING asStr;

    char *Buffer = NULL;;

    RtlUnicodeStringToAnsiString(&asStr, uString, TRUE);

    Buffer = ExAllocatePoolWithTag(NonPagedPool, uString->MaximumLength * sizeof(wchar_t), 0);

    if (Buffer == NULL)

  {

        return NULL;

  }
RtlCopyMemory(Buffer, asStr.Buffer, asStr.Length);

    return Buffer;

}
VOID MyLoadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ModuleStyle, PIMAGE_INFO ImageInfo)

{

    PVOID pDrvEntry;

    char *PareString = NULL;
if (MmIsAddressValid(FullImageName))

    {

    // 非零则监控DLL加载

        if (ModuleStyle != 0)

        {

            PareString = UnicodeToLongString(FullImageName);

            if (PareString != NULL)

            {

                if (strstr(PareString, "hook.dll"))

                {

                    pDrvEntry = GetDriverEntryByImageBase(ImageInfo->ImageBase);

                    if (pDrvEntry != NULL)

                        DenyLoadDriver(pDrvEntry);

                }

            }

        }

    }

}