- 1 year ago
How to register callback with PsSetCreateProcessNotifyRoutine/PsSetCreateProcessNotifyRoutineEx?
In order to register a callback with PsSetCreateProcessNotifyRoutine
or PsSetCreateProcessNotifyRoutineEx
in a Windows driver, you'll need to implement a DriverEntry function and use the appropriate API to register the callback.
Here's a step-by-step guide to register a callback with PsSetCreateProcessNotifyRoutineEx
:
- Include the necessary headers:
c#include <ntddk.h>
- Define the callback function:
cVOID ProcessNotifyCallbackEx(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
// Your code here
}
- Implement the DriverEntry function:
cNTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
PVOID registrationHandle;
UNREFERENCED_PARAMETER(RegistryPath);
// Register the callback with PsSetCreateProcessNotifyRoutineEx
status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallbackEx, FALSE, ®istrationHandle);
if (!NT_SUCCESS(status))
{
// Handle the error
return status;
}
// Optional: You can also unregister the callback later if needed
// PsRemoveCreateProcessNotifyRoutineEx(registrationHandle);
return STATUS_SUCCESS;
}
The ProcessNotifyCallbackEx
function will be called whenever a new process is created. Inside this callback, you can perform any desired actions or checks based on the process information passed in the parameters.
Please note that PsSetCreateProcessNotifyRoutine
and PsSetCreateProcessNotifyRoutineEx
are undocumented functions and are not officially supported by Microsoft. Therefore, using these functions in production code is not recommended. Additionally, using undocumented APIs may lead to compatibility issues with future Windows updates.
If you still choose to use these functions, be sure to thoroughly test your driver and consider the implications of using undocumented APIs. Always follow best practices and official documentation when developing Windows drivers.