In Windows NT, the 80386 protected mode "protection" is more robust than Windows 95, the "gilded cage" more solid, more difficult to break. In Windows 95, at least the application I / O operation is unrestricted, Windows NT application even this permission are deprived. Less likely to enter in the NT almost real ring0 layer. In Windows NT, there are three Device Driver: ? 1. "Virtual device Driver" (VDD). VDD, 16-bit applications, such as DOS and Win16 applications can access specific I / O ports (Note, not direct access, but to VDD to access). ? 2. "GDI Driver", display and print the necessary GDI functions. ? 3. "Kernel Mode Driver", the operation of specific hardware, for example, CreateFile, CloseHandle (file object), ReadFile, WriteFile, the DeviceIoControl other operations. "Kernel Mode Driver" Windows NT hardware interrupt and DMA operation Driver. SCSI port driver and NIC NDIS driver Kernel Mode Driver is a special form. ? ? Visual studio2012 Windows8 bring new experience exceptionally different ? 1.Start Vs2012  2.Seen everywhere driven development template  3.Select a drive mode, there are two types of kernel mode and user mode driver  ? 4 Create a driver, KMDF DriverMVP  ? We choose a kernel mode driver Below is created after the success of the interface are the driver, and the driver installation package  Insert the following code to create a thread ring0 layer drive monitoring, see Code Analysis ~~~ #include "ThreadMon.h" #include "../inc/ioctls.h" // ////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////// // // 全局變量 // PDEVICE_OBJECT g_pDeviceObject; // ////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////// // // 函數實現 // NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING ntDeviceName; UNICODE_STRING dosDeviceName; UNICODE_STRING ThreadEventString; PDEVICE_EXTENSION deviceExtension; PDEVICE_OBJECT deviceObject = NULL; KdPrint(("[ThreadMon] DriverEntry: %wZ\n", RegistryPath)); // // 創建設備對象 // RtlInitUnicodeString(&ntDeviceName, THREADMON_DEVICE_NAME_W); Status = IoCreateDevice( DriverObject, sizeof(DEVICE_EXTENSION), // DeviceExtensionSize &ntDeviceName, // DeviceName FILE_DEVICE_THREADMON, // DeviceType 0, // DeviceCharacteristics TRUE, // Exclusive &deviceObject // [OUT] ); if(!NT_SUCCESS(Status)) { KdPrint(("[ThreadMon] IoCreateDevice Error Code = 0x%X\n", Status)); return Status; } // // 設置擴展結構 // deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension; // // Set up synchronization objects, state info,, etc. // deviceObject->Flags |= DO_BUFFERED_IO; // // 創建符號鏈接 // RtlInitUnicodeString(&dosDeviceName, THREADMON_DOS_DEVICE_NAME_W); Status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName); if(!NT_SUCCESS(Status)) { KdPrint(("[ThreadMon] IoCreateSymbolicLink Error Code = 0x%X\n", Status)); IoDeleteDevice(deviceObject); return Status; } // // 分發IRP // DriverObject->MajorFunction[IRP_MJ_CREATE] = ThreadMonDispatchCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = ThreadMonDispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ThreadMonDispatchDeviceControl; DriverObject->DriverUnload = ThreadMonUnload; // // 保存設備對象指針 // g_pDeviceObject = deviceObject; // // 創建事件對象與應用層通信 // RtlInitUnicodeString(&ThreadEventString, EVENT_NAME); deviceExtension->ThreadEvent = IoCreateNotificationEvent(&ThreadEventString, &deviceExtension->ThreadHandle); KeClearEvent(deviceExtension->ThreadEvent); // 非受信狀態 // // 設置回調例程 // Status = PsSetCreateThreadNotifyRoutine(ThreadCallback); return Status; } NTSTATUS ThreadMonDispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; KdPrint(("[ThreadMon] IRP_MJ_CREATE\n")); Irp->IoStatus.Status = Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } NTSTATUS ThreadMonDispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; KdPrint(("[ThreadMon] IRP_MJ_CLOSE\n")); Irp->IoStatus.Status = Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } NTSTATUS ThreadMonDispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS Status = STATUS_SUCCESS; PIO_STACK_LOCATION irpStack; PDEVICE_EXTENSION deviceExtension; ULONG inBufLength, outBufLength; ULONG ioControlCode; PCALLBACK_INFO pCallbackInfo; // 獲取當前設備棧 irpStack = IoGetCurrentIrpStackLocation(Irp); deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension; // 提取信息 pCallbackInfo = Irp->AssociatedIrp.SystemBuffer; inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode; // 處理不同的IOCTL switch (ioControlCode) { case IOCTL_THREAD_MON: { KdPrint(("[ThreadMon] IOCTL: 0x%X", ioControlCode)); if (outBufLength >= sizeof(PCALLBACK_INFO)) { pCallbackInfo->ProcessId = deviceExtension->ProcessId; pCallbackInfo->ThreadId = deviceExtension->ThreadId; pCallbackInfo->Create = deviceExtension->Create; Irp->IoStatus.Information = outBufLength; } break; } default: { Status = STATUS_INVALID_PARAMETER; Irp->IoStatus.Information = 0; KdPrint(("[ThreadMon] Unknown IOCTL: 0x%X (%04X,%04X)", \ ioControlCode, DEVICE_TYPE_FROM_CTL_CODE(ioControlCode), \ IoGetFunctionCodeFromCtlCode(ioControlCode))); break; } } Irp->IoStatus.Status = Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; } VOID ThreadMonUnload( IN PDRIVER_OBJECT DriverObject ) { UNICODE_STRING dosDeviceName; // // Free any resources // // 卸載回調例程 PsRemoveCreateThreadNotifyRoutine(ThreadCallback); // // Delete the symbolic link // RtlInitUnicodeString(&dosDeviceName, THREADMON_DEVICE_NAME_W); IoDeleteSymbolicLink(&dosDeviceName); // // Delete the device object // IoDeleteDevice(DriverObject->DeviceObject); KdPrint(("[ThreadMon] Unloaded")); } VOID ThreadCallback( IN HANDLE ProcessId, // 進程ID IN HANDLE ThreadId, // 線程ID IN BOOLEAN Create // 創建還是終止 ) { PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION)g_pDeviceObject->DeviceExtension; deviceExtension->ProcessId = ProcessId; deviceExtension->ThreadId = ThreadId; deviceExtension->Create = Create; // 觸發事件，通知應用程序 KeSetEvent(deviceExtension->ThreadEvent, 0, FALSE); KeClearEvent(deviceExtension->ThreadEvent); } // ///////////////////////////////////////////////////////////////////////// ~~~ ring3 layer following the calling code ~~~ #include "windows.h" #include "winioctl.h" #include "stdio.h" #include "../inc/ioctls.h" #define SYMBOL_LINK "\\\\.\\ThreadMon" int main() { CALLBACK_INFO cbkinfo, cbktemp = {0}; // 打開驅動設備對象 HANDLE hDriver = ::CreateFile( SYMBOL_LINK, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDriver == INVALID_HANDLE_VALUE) { printf("打開驅動設備對象失敗！\n"); return -1; } // 打開內核事件對象 HANDLE hProcessEvent = ::OpenEventW(SYNCHRONIZE, FALSE, EVENT_NAME); while (::WaitForSingleObject(hProcessEvent, INFINITE)) { DWORD dwRet; BOOL bRet; // printf("收到事件通知！\n"); bRet = ::DeviceIoControl( hDriver, IOCTL_THREAD_MON, NULL, 0, &cbkinfo, sizeof(cbkinfo), &dwRet, NULL); if (bRet) { if (cbkinfo.ProcessId != cbktemp.ProcessId || \ cbkinfo.ThreadId != cbktemp.ThreadId || \ cbkinfo.Create != cbktemp.Create) { if (cbkinfo.Create) { printf("有線程被創建，PID = %d，TID = %d\n", cbkinfo.ProcessId, cbkinfo.ThreadId); } else { printf("有線程被終止，PID = %d，TID = %d\n", cbkinfo.ProcessId, cbkinfo.ThreadId); } cbktemp = cbkinfo; } } else { printf("\n獲取進程信息失敗！\n"); break; } } ::CloseHandle(hDriver); return 0; } ~~~