VIP论坛网址: 
https://www.yjxsoft.com/
2021在线班
郁金香灬老师 QQ 150330575
交流群:158280115
备用群:19780013

学习目标: 
     D059-驱动级隐藏注入A
     
	 PsSetCreateProcessNotifyRoutine
	 
	 NTSTATUS PsSetCreateProcessNotifyRoutine(
  _In_  PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
  _In_  BOOLEAN Remove
);

PsRemoveLoadImageNotifyRoutine

NTSTATUS PsSetLoadImageNotifyRoutine(
_In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
);

CreateProcessNotify

	//创建内核线程 注入
	status = PsCreateSystemThread(
		&thread_hanlde,//OUT
		THREAD_ALL_ACCESS,
		NULL,
		NtCurrentProcess(),
		NULL,
		x64Process ? INJECT_ROUTINE_X64 : INJECT_ROUTINE_X86,
		injectdata);
		

VOID CreateProcessNotify(
	_In_ HANDLE ParentId,
	_In_ HANDLE ProcessId,
	_In_ BOOLEAN Create
)
{
	UNREFERENCED_PARAMETER(ParentId);

	if (ProcessId == (HANDLE)4 || ProcessId == (HANDLE)0)
	{
		return;
	}

	if (KeGetCurrentIrql() != PASSIVE_LEVEL)
	{
		return;
	}


	//
	//如果进程销毁 则从注入列表里面移除
	//
	if (Create)
	{
		DPRINT("yjx:AddInjectList -> %d\n", ProcessId);
		AddInjectList(ProcessId);
	}
	else
	{
		DPRINT("yjx:DeleteInjectList -> %d\n", ProcessId);
		DeleteInjectList(ProcessId);
	}

}