|
阅读:1289回复:3
监控远程线程代码
原理参考http://zhidao.baidu.com/question/35829777.html
NTSTATUS HookNtCreateThread( IN PNtCreateThread OrgFunction, OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, //目标进程 OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended ) { NTSTATUS status; PEPROCESS Process; UNICODE_STRING DosPath; if ((NT_SUCCESS(ObReferenceObjectByHandle(ProcessHandle, 0, NULL, KernelMode, &Process, NULL)))) { if (GetProcessDosPath(Process, &DosPath)) { if (!IsListEmpty((PLIST_ENTRY)((PBYTE)Process + KPROCESS_THREAD_LIST_OFFSET)) && Process != IoGetCurrentProcess()) { UNICODE_STRING TargetPath; if (GetProcessDosPath(IoGetCurrentProcess(), &TargetPath)) { KdPrint(("Target:%wZ\n", &TargetPath)); RtlFreeUnicodeString(&TargetPath); } KdPrint(("CreateRemoteThread->%wZ\n", &DosPath)); } RtlFreeUnicodeString(&DosPath); } } status = OrgFunction(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, ClientId, ThreadContext, InitialTeb, CreateSuspended); return status; } 2ksp4+vm6通过 |
|
|
沙发#
发布于:2008-07-30 15:48
vista还没有怎么用过,不知还能hook不?没有vista的ddk
|
|