|
ðread);
if (CreateInfo)
{
DbgPrint("[lyshark.com] 线程TID: %1d | 所属进程名: %s | 进程PID: %1d \n", ThreadId, PsGetProcessImageFileName(eprocess), PsGetProcessId(eprocess));
/*
if (0 == _stricmp(PsGetProcessImageFileName(eprocess), "lyshark.exe"))
{
DbgPrint("线程TID: %1d | 所属进程名: %s | 进程PID: %1d \n", ThreadId, PsGetProcessImageFileName(eprocess), PsGetProcessId(eprocess));
// dt _kthread
// 寻找里面的 Win32StartAddress 并写入ret
pWin32Address = *(UCHAR**)((UCHAR*)ethread + 0x1c8);
if (MmIsAddressValid(pWin32Address))
{
*pWin32Address = 0xC3;
}
}
*/
}
else
{
DbgPrint("[LyShark] %s 线程已退出...", ThreadId);
}
if (eprocess)
ObDereferenceObject(eprocess);
if (ethread)
ObDereferenceObject(ethread);
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
NTSTATUS status;
// 注销进程回调
status = PsRemoveCreateThreadNotifyRoutine(MyCreateThreadNotify);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
DbgPrint("hello lyshark.com \n");
// 绕过签名检查
// LINKER_FLAGS=/INTEGRITYCHECK
BypassCheckSign(Driver);
// 创建线程回调
// 参数1: 新线程ProcessID
// 参数2: 新线程ThreadID
// 参数3: 线程创建/退出标志
status = PsSetCreateThreadNotifyRoutine(MyCreateThreadNotify);
if (!NT_SUCCESS(status))
{
DbgPrint("创建线程回调错误");
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
运行后则可监控到系统总所有线程的创建与退出,效果如下所示:
|