递归火山软件开发平台
标题:
监视进程
[打印本页]
作者:
aleax1984
时间:
2025-1-15 11:57
标题:
监视进程
之前记得论坛里有看到监视进程的帖子,进程被创建或退出都能显示,现在怎么都找到,有人看到过的吗
作者:
创世魂
时间:
2025-1-15 12:15
没印象
作者:
承易
时间:
2025-1-18 20:18
import psutil
import time
def get_running_processes():
"""获取当前所有正在运行的进程的PID和名称"""
processes = {}
for proc in psutil.process_iter(['pid', 'name']):
processes[proc.info['pid']] = proc.info['name']
return processes
def monitor_processes():
"""监视进程的创建和退出"""
old_processes = get_running_processes()
while True:
time.sleep(1) # 每隔1秒检查一次
new_processes = get_running_processes()
# 检查新创建的进程
for pid, name in new_processes.items():
if pid not in old_processes:
print(f"新进程创建: PID={pid}, 名称={name}")
# 检查退出的进程
for pid, name in old_processes.items():
if pid not in new_processes:
print(f"进程退出: PID={pid}, 名称={name}")
# 更新旧的进程列表
old_processes = new_processes
if __name__ == "__main__":
monitor_processes()
复制代码
作者:
承易
时间:
2025-1-18 20:25
#include <ntddk.h>
// 进程创建和退出的回调函数
void ProcessNotifyCallback(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
if (CreateInfo != NULL)
{
// 进程创建
DbgPrint("Process created: PID=%d, ImageFileName=%wZ\n", HandleToULong(ProcessId), CreateInfo->ImageFileName);
}
else
{
// 进程退出
DbgPrint("Process exited: PID=%d\n", HandleToULong(ProcessId));
}
}
// 驱动程序卸载函数
void DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
{
// 取消注册回调函数
PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, TRUE);
DbgPrint("Driver unloaded.\n");
}
// 驱动程序入口点
extern "C" NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
// 注册进程创建和退出的回调函数
NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrint("Failed to register process notify callback.\n");
return status;
}
// 设置卸载函数
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Driver loaded.\n");
return STATUS_SUCCESS;
}
复制代码
欢迎光临 递归火山软件开发平台 (https://bbs.voldp.com/)
Powered by Discuz! X3.4