Description: NT/2K provides a set of APIs, known as "Process Structure Routines" [2] exported by NTOSKRNL. One of these APIs PsSetCreateProcessNotifyRoutine() offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated. The mentioned API can be employed as an easy to implement method for tracking down processes simply by implementing a NT kernel-mode driver and a user mode Win32 control application. The role of the driver is to detect process execution and notifiy the control program about these events.
To Search:
File list (Check if you may need any files):
CreateProcessNotify
...................\Code
...................\....\ConsCtl
...................\....\.......\ApplicationScope.cpp
...................\....\.......\ApplicationScope.h
...................\....\.......\CallbackHandler.cpp
...................\....\.......\CallbackHandler.h
...................\....\.......\Common.h
...................\....\.......\ConsCtl.cpp
...................\....\.......\ConsCtl.dsp
...................\....\.......\CustomThread.cpp
...................\....\.......\CustomThread.h
...................\....\.......\LockMgr.cpp
...................\....\.......\LockMgr.h
...................\....\.......\NtDriverController.cpp
...................\....\.......\NtDriverController.h
...................\....\.......\QueueContainer.cpp
...................\....\.......\QueueContainer.h
...................\....\.......\QueuedItem.h
...................\....\.......\RetrievalThread.cpp
...................\....\.......\RetrievalThread.h
...................\....\.......\ThreadMonitor.cpp
...................\....\.......\ThreadMonitor.h
...................\....\.......\WinUtils.h
...................\....\ProcMon.dsw
...................\....\ProcObsrv
...................\....\.........\ProcObsrv.c
...................\....\.........\ProcObsrv.dsp
...................\Output
...................\......\ProcObsrv.sys
Download