监视进程
之前记得论坛里有看到监视进程的帖子,进程被创建或退出都能显示,现在怎么都找到,有人看到过的吗没印象 import psutil
import time
def get_running_processes():
"""获取当前所有正在运行的进程的PID和名称"""
processes = {}
for proc in psutil.process_iter(['pid', 'name']):
processes] = proc.info['name']
return processes
def monitor_processes():
"""监视进程的创建和退出"""
old_processes = get_running_processes()
while True:
time.sleep(1)# 每隔1秒检查一次
new_processes = get_running_processes()
# 检查新创建的进程
for pid, name in new_processes.items():
if pid not in old_processes:
print(f"新进程创建: PID={pid}, 名称={name}")
# 检查退出的进程
for pid, name in old_processes.items():
if pid not in new_processes:
print(f"进程退出: PID={pid}, 名称={name}")
# 更新旧的进程列表
old_processes = new_processes
if __name__ == "__main__":
monitor_processes() #include <ntddk.h>
// 进程创建和退出的回调函数
void ProcessNotifyCallback(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
if (CreateInfo != NULL)
{
// 进程创建
DbgPrint("Process created: PID=%d, ImageFileName=%wZ\n", HandleToULong(ProcessId), CreateInfo->ImageFileName);
}
else
{
// 进程退出
DbgPrint("Process exited: PID=%d\n", HandleToULong(ProcessId));
}
}
// 驱动程序卸载函数
void DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
{
// 取消注册回调函数
PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, TRUE);
DbgPrint("Driver unloaded.\n");
}
// 驱动程序入口点
extern "C" NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
// 注册进程创建和退出的回调函数
NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrint("Failed to register process notify callback.\n");
return status;
}
// 设置卸载函数
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Driver loaded.\n");
return STATUS_SUCCESS;
}
页:
[1]