Google 網路論壇不再支援新的 Usenet 貼文或訂閱項目,但過往內容仍可供查看。
Dismiss

Process Monitor recorder

瀏覽次數:20 次
跳到第一則未讀訊息

TahoeKid

未讀,
2008年10月24日 下午4:13:092008/10/24
收件者:
I'm looking for a tool similar to procmon or whatsrunning that has a
'record' feature where I can track which processes start and stop
during a particular recording session. I'm looking for rogue child
processes being spawned that do 'damage' and quickly exit.

Pavel A.

未讀,
2008年10月25日 上午10:40:142008/10/25
收件者:
"TahoeKid" <rfd...@hotmail.com> wrote in message
news:ad6fd60e-a814-4d7b...@f37g2000pri.googlegroups.com...

Below is a small quick driver that uses PsSetCreateProcessNotifyRoutine.
Display the debug prints with DebugView, windbg, etc.

Note: I haven't compiled this sample, please fix it as needed.
Of course, you need the current WDK and SOURCES file to build it.
Function PsGetProcessImageFileName() is undocumented and deprecated for
"serious" use,
but again, may work for your goal.

Regards,
--PA


----------------- cut here ---------------------
#include <ntddk.h>

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

VOID CreateProcCallback(HANDLE ParentId, HANDLE ProcessId, BOOLEAN
Create)
{
NTSTATUS status;
PCHAR procImageName = NULL;

if ( Create )
{
PEPROCESS peProcess = NULL;
status = PsLookupProcessByProcessId(ProcessId, &peProcess);
if (!NT_SUCCESS(status)) {
KdPrint(("Err PsLookupProcessByProcessId\n"));
return;
}

procImageName = PsGetProcessImageFileName(peProcess); //*** DEPRECATED
if (!procImageName) {
KdPrint(("err PsGetProcessImageFileName!\n"));
}
ObDereferenceObject(peProcess);

KdPrint(("START process name=[%s] pid=%d parent=%d\n", procImageName,
ProcessId, ParentId ));

} else {
KdPrint(("EXIT process pid=%d\n", ProcessId ));
}
}


NTSTATUS DriverEntry ( PDRIVER_OBJECT DriverObject, PUNICODE_STRING
RegistryPath)
{
NTSTATUS status;
status = PsSetCreateProcessNotifyRoutine(CreateProcCallback, FALSE);
if (!NT_SUCCESS(status)) return status;
DriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}


VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
status = PsSetCreateProcessNotifyRoutine(CreateProcCallback, TRUE);
}

----------------- cut here ---------------------

Volodymyr M. Shcherbyna

未讀,
2008年10月26日 下午4:34:262008/10/26
收件者:
Hello there Pavel,

Strange, my latest WDK documentation has no info about
PsGetProcessImageFileName ... To OP: Another, alternative solution is to set
image load notify routine (using PsSetLoadImageNotifyRoutine) and log all
UNICODE_STRINGs which are passed into your callback.

--
Volodymyr, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)

"Pavel A." <pav...@12fastmail34.fm> wrote in message
news:%23QX9BWr...@TK2MSFTNGP04.phx.gbl...

0 則新訊息