PsSetCreateProcessNotifyRoutine or equivalent

Jun 16, 2014 at 5:01 PM
Could someone help me hook PsSetCreateProcessNotifyRoutine? I want to basically monitor process creation in C# without polling WMI by either using this method "PsSetCreateProcessNotifyRoutine" or an equivalent that would work better.
Jun 16, 2014 at 6:13 PM
Edited Jun 16, 2014 at 6:13 PM
So something like this but in C#:
#include <ntddk.h>

void ProcessCallback(IN HANDLE hParentId, IN HANDLE hProcessId, IN BOOLEAN bCreate)
{
    if (bCreate)

        DbgPrint("Process %d created \n", hProcessId);

    else

        DbgPrint("Process %d terminated \n", hProcessId);

}

void DriverUnload(PDRIVER_OBJECT pDriverObject)
{

    PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
    DbgPrint("Driver unloading\n");

}

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    DbgPrint("Driver loaded... \n");
    PsSetCreateProcessNotifyRoutine(&ProcessCallback, FALSE);
    DriverObject->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;
}