一个小型的用于监视进程产生和撤销驱动逆向分析

一个小型的用于监视进程产生和撤销驱动逆向分析前两天,闪电狼兄给了一个Themida_1.0.0.5加壳的新版绝影凯旋vip1.65,狼把它目录中一个驱动NTProcDrv.sys让偶分析分析,注意这不是Themida_1.0.0.5驱动,不过它也保护这Themida加壳的主程序.早前错认了!由于偶是菜鸟加壳盲.只好"雾"里看花去捏裸笨的NTProcDrv.sys.作者声明: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!由于我误解了狼兄错认它是Themida的驱动.错误改过来了!西裤兄,不过代码全部是自己逆地.原来有开源的.逆向一下:1:设备对象自定义扩展结构体如下:typedef struct _DeviceExtension {             ULONG size;         //0x0                   PHANDLE EventHandle; //0x04          PRKEVENT KernelEvent;   //+0x08          HANDLE ParentId;     //+0x0C          HANDLE ProcessId;   //+0x010          ULONG IsCreate;     //+0x014           } NTProcDrvDeviceExtension; 2:IRP_MJ_DEVICE_CONTROL中是点关键东东.3:IoCreateNotificationEvent 建立事件通知与下面的回调和exe交互4:PsSetCreateProcessNotifyRoutine 进程事件回调由于偶是菜鸟加壳盲,不敢碰Themida_1.0.0.5加壳的EXE.只好找软肋逆.代码如下:////       *       NTProcDrv.sys         *     //       *   be reversed by qiweixue[BCG]   *//       *   CopyRight:http://www.pediy.com   *   /#include <ntddk.h>#define NTProcDrv_IOCTL_METHOD_BUFFERED 0x22E000typedef struct _DeviceExtension {             ULONG size;         //0x0                   PHANDLE EventHandle; //0x04          PRKEVENT KernelEvent;   //+0x08          HANDLE ParentId;     //+0x0C          HANDLE ProcessId;   //+0x010          ULONG IsCreate;     //+0x014           } NTProcDrvDeviceExtension;           VOIDNTProcDrvUnloadDriver(  IN PDRIVER_OBJECT     DriverObject  );  NTSTATUS   NTProcDrvCreateClose(  IN PDEVICE_OBJECT DeviceObject,  IN PIRP Irp  );     NTSTATUSNTProcDeviceControl(  IN PDEVICE_OBJECT DeviceObject,  IN PIRP Irp  );    VOIDNTProcDrvNotifyRoutine (  IN HANDLE ParentId,  IN HANDLE ProcessId,  IN BOOLEAN Create  );UNICODE_STRING DeviceNameString;   UNICODE_STRING LinkDeviceNameString;   UNICODE_STRING EventDeviceNameString; PDEVICE_OBJECT GloalDeviceObject;NTSTATUSDriverEntry(  IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath  ){    HANDLE HEventHandle;  PKEVENT PEnvent;PDEVICE_OBJECT deviceObject = NULL; NTSTATUS ntStatus; NTProcDrvDeviceExtension     *DevExt=NULL; RtlInitUnicodeString( &DeviceNameString,   L"//Device//NTProcDrv" );RtlInitUnicodeString( &LinkDeviceNameString,L"//DosDevices//NTProcDrv");ntStatus = IoCreateDevice(          DriverObject,          sizeof(NTProcDrvDeviceExtension),                         &DeviceNameString,          FILE_DEVICE_UNKNOWN,          0,          FALSE,          &deviceObject );  if (!NT_SUCCESS( ntStatus ))   {    return ntStatus;  }  ntStatus = IoCreateSymbolicLink(          (PUNICODE_STRING) &LinkDeviceNameString,          (PUNICODE_STRING) &DeviceNameString          );  if (!NT_SUCCESS(ntStatus))  {    IoDeleteDevice(deviceObject);    return ntStatus;  }  GloalDeviceObject=deviceObject;  DriverObject->DriverUnload =NTProcDrvUnloadDriver;    DriverObject->MajorFunction[IRP_MJ_CREATE] = NTProcDrvCreateClose;  DriverObject->MajorFunction[IRP_MJ_CLOSE] = NTProcDrvCreateClose;  DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NTProcDeviceControl;       RtlInitUnicodeString(&EventDeviceNameString,L"//BaseNamedObjects//NTProcDrvProcessEvent");    PEnvent=IoCreateNotificationEvent(                &EventDeviceNameString,                DevExt->EventHandle                );     DevExt=(NTProcDrvDeviceExtension*)(deviceObject->DeviceExtension);  DevExt->KernelEvent=PEnvent;  KeClearEvent(DevExt->KernelEvent);    ntStatus= PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)NTProcDrvNotifyRoutine,0);    return ntStatus;}voidNTProcDrvUnloadDriver(  IN PDRIVER_OBJECT DriverObject  ){  PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;  IoDeleteSymbolicLink( &LinkDeviceNameString );   if ( deviceObject != NULL )  {    IoDeleteDevice( deviceObject );  }}NTSTATUSNTProcDrvCreateClose(  IN PDEVICE_OBJECT DeviceObject,  IN PIRP Irp  )   {  Irp->IoStatus.Status = STATUS_SUCCESS;     Irp->IoStatus.Information = 0;   IoCompleteRequest( Irp, IO_NO_INCREMENT );   return STATUS_SUCCESS;}NTSTATUSNTProcDeviceControl(  IN PDEVICE_OBJECT DeviceObject,  IN PIRP Irp  ){     NTSTATUS ntStatus;  ULONG   IoCtlCode;   PIO_STACK_LOCATION IrpStack;  ULONG           inBufLength;  ULONG           outBufLength;   PVOID           InOutBuf;  NTProcDrvDeviceExtension     *DevExt=NULL;   ntStatus=STATUS_UNSUCCESSFUL;  IrpStack = IoGetCurrentIrpStackLocation(Irp);//+60  outBufLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;//+4  inBufLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;//+8  IoCtlCode =IrpStack->Parameters.DeviceIoControl.IoControlCode; //C   InOutBuf = Irp->AssociatedIrp.SystemBuffer;     switch(IoCtlCode)  {    case NTProcDrv_IOCTL_METHOD_BUFFERED:      if(outBufLength<0x0C)break;       DevExt=(NTProcDrvDeviceExtension*)DeviceObject->DeviceExtension;    *((PLONG)InOutBuf)=(ULONG) (DevExt->ParentId);    *((PLONG)InOutBuf+1)=(ULONG)(DevExt->ProcessId);    *((PLONG)InOutBuf+2)=(char)(DevExt->IsCreate);      ntStatus=STATUS_SUCCESS;  break;default:    Irp->IoStatus.Status = ntStatus;     if(!NT_SUCCESS(ntStatus))      {      Irp->IoStatus.Information = outBufLength;       }     Irp->IoStatus.Information = outBufLength;         }  IofCompleteRequest(Irp,IO_NO_INCREMENT);    return ntStatus;}  voidNTProcDrvNotifyRoutine (  IN HANDLE ParentId,  IN HANDLE ProcessId,  IN BOOLEAN Create  ){  PDEVICE_OBJECT deviceObject=NULL;  NTProcDrvDeviceExtension *DevExt=NULL;   deviceObject=GloalDeviceObject;DevExt=deviceObject->DeviceExtension;   DevExt->ParentId=ParentId;  DevExt->ProcessId=ProcessId;  DevExt->IsCreate=(char)Create;  KeSetEvent(DevExt->KernelEvent,0,0);  KeClearEvent(DevExt->KernelEvent);return ;}    欢迎找bug.idb文件.c文件,源驱动都在附件中.