none
PsSetCreateProcessNotifyRoutineEx Code Help RRS feed

  • Question

  • #include <ntddk.h>
    
    
    void CreateProcessNotifyEx(_Inout_ PEPROCESS Process, _In_ HANDLE ProcessId, _In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo) {
    	UNREFERENCED_PARAMETER(CreateInfo);
    	UNREFERENCED_PARAMETER(ProcessId);
    	UNREFERENCED_PARAMETER(Process);
    	DbgPrint("================================> Inside CallBackRoutine!!!!!!");
    	DbgPrint("========================> ProcessName  >> 0x%s", CreateInfo->ImageFileName);
    	DbgPrint("==========-=======> ProcessId >> 0x%x",ProcessId);
    
    }
    
    extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
    	DbgPrint("===========>Inside DriverEntry");
    	UNREFERENCED_PARAMETER(DriverObject);
    	UNREFERENCED_PARAMETER(RegistryPath);
    	NTSTATUS status; 
    	status = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx,FALSE);
    
    
    	return STATUS_SUCCESS; 
    }
    Where am i doing wrong ? 
    • Edited by SpdyCyrus Sunday, October 25, 2015 3:25 PM
    Sunday, October 25, 2015 2:26 PM

All replies

  • What is failing?  You should return status in DriverEntry or at least check it, since the registration of the callback can fail.  You should be checking if the CreateInfo parameter is NULL since it is optional, and since you use CreateInfo and ProcessId one has to wonder why you have UNREFERENCED_PARAMETER on these.   Also, I assume you only have one copy of the routines in the file you are actually compiling?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Sunday, October 25, 2015 2:45 PM
  • Yes, One copy.
    Sunday, October 25, 2015 3:25 PM
  • What is your failure mode?  The basic code structure looks fine (with the caveats I specified earlier), but without an idea of what fails we can't give more help.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, October 27, 2015 5:23 PM