如何找出哪个进程发送了请求?
How to find out which process sent the request?
我正在通过 ObRegisterCallbacks 编写进程访问过滤器。
OB_PREOP_CALLBACK_STATUS PreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
UNREFERENCED_PARAMETER(pOperationInformation);
PEPROCESS OpenedProcess = (PEPROCESS)pOperationInformation->Object,
CurrentProcess = PsGetCurrentProcess();
char szProcName[16] = { 0, };
strcpy_s(szProcName, 16, ((DWORD64)pOperationInformation->Object + iOffset.ImageFileName_off));
UINT64* id = (UINT64*)((DWORD64)pOperationInformation->Object + iOffset.UniqueProcessid_off);
//PEPROCESS ProtectedProcess;
//PsLookupProcessByProcessId(*id, &ProtectedProcess); // Getting the PEPROCESS using the PID
if (!_strnicmp(szProcName, "notepad.exe", 16))
{
if ((pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE))
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
}
return OB_PREOP_SUCCESS;
}
如果在启动程序后启动驱动程序,一切都很好。
如果程序在驱动程序启动后启动,程序就会挂起。
我假设该程序无法自行获取句柄。
如何找出请求的发送者?
如何找出发送请求的进程的PID?
在这个回调中,当前上下文是操作请求者。
只需调用PsGetCurrentProcess和PsGetCurrentProcessId即可获取当前上下文的PEPROCESS和Id。
我正在通过 ObRegisterCallbacks 编写进程访问过滤器。
OB_PREOP_CALLBACK_STATUS PreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
UNREFERENCED_PARAMETER(pOperationInformation);
PEPROCESS OpenedProcess = (PEPROCESS)pOperationInformation->Object,
CurrentProcess = PsGetCurrentProcess();
char szProcName[16] = { 0, };
strcpy_s(szProcName, 16, ((DWORD64)pOperationInformation->Object + iOffset.ImageFileName_off));
UINT64* id = (UINT64*)((DWORD64)pOperationInformation->Object + iOffset.UniqueProcessid_off);
//PEPROCESS ProtectedProcess;
//PsLookupProcessByProcessId(*id, &ProtectedProcess); // Getting the PEPROCESS using the PID
if (!_strnicmp(szProcName, "notepad.exe", 16))
{
if ((pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE))
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
}
return OB_PREOP_SUCCESS;
}
如果在启动程序后启动驱动程序,一切都很好。 如果程序在驱动程序启动后启动,程序就会挂起。 我假设该程序无法自行获取句柄。
如何找出请求的发送者? 如何找出发送请求的进程的PID?
在这个回调中,当前上下文是操作请求者。
只需调用PsGetCurrentProcess和PsGetCurrentProcessId即可获取当前上下文的PEPROCESS和Id。