recognize process creation in callback

NTDEV
1

Hello,

Is there any documented/safe/guaranteed way to distinguish process creation from open process in ob_callback?
I think to do this we would need to analyze thread state.

Thank you for your answers.

2

Not sure what you are trying to do, but could you combine callbacks from
PsSetCreateProcessNotifyRoutine, with the ob_callback to determine what you
need?

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, January 27, 2015 4:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] recognize process creation in callback

Hello,

Is there any documented/safe/guaranteed way to distinguish process creation
from open process in ob_callback?
I think to do this we would need to analyze thread state.

Thank you for your answers.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Don,

I think this won’t help.
Looking into process creation process it seems to be clear that beofre Ps callbacks Ob callbacks will be invoked, because handles to proper objects will be set up (for thread and then to process I think)… anyway Ps seems to be called later.
I understand only way to recognize this situation would be to check state of thread more or less something like slide “Thread scheduling states” http://www.google.pl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CFkQFjAH&url=http%3A%2F%2Fi-web.i.u-tokyo.ac.jp%2Fedu%2Ftraining%2Fss%2Flecture%2Fnew-documents%2FLectures%2F03-ThreadScheduling%2FThreadScheduling.ppt&ei=3AbIVLjuLoO67gaJ9IDQBQ&usg=AFQjCNE7bwWnpDZX7rTw138zAIG721ImoQ&sig2=NVEYzNQuMeHJGUwjT6fo5w&bvm=bv.84349003,d.ZGU

but I’m just not sure if this is way to go…

4

I’m sorry for recent link - here is proper one: http://i-web.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/03-ThreadScheduling/ThreadScheduling.ppt