Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars

Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 1  
16 Apr 18 04:13
MIsha Paranski
Join Date: 18 May 2017
Posts To This List: 23
Process state in Notify callback

Greetings, I'm registering a notify callback using PsSetCreateProcessNotifyRoutineEx() that is called for every process that is created in the system. I filtered only the processes that i care about, and i "post" in that callback an event to a user space thread that injects a dll to the process, and writes data to the processes virtual memory. I needed to change the "posting" of the event from the PsSetCreateProcessNotifyRoutineEx() callback, to the PsSetImageLoadedNotifyRoutine() because the EPROCESS is not fully initialized in that phase of the process callback, so it resulted in some errors when opening a handle to the process in user space and writing to it's memory and creating remote threads. The image loaded notify routine works perfectly on Windows 7(32, 64) and Windows 10(32), because i assume it is called after the EPROCESS is fully initialized in that phase, so performing operations on that process in userspace isn't an issue. The problem starts in Windows 10 64bit. I'm getting errors when creating a remote thread to that process when in user space(After posting an "event" from the image loaded notify routine). Some errors are "ERROR_PARTIAL_COPY", sometimes i sucessfuly inject a DLL, but when i enumerate all the DLLs in that process, i can't find my injeted dll even though it was sucessful. Any hints on how to do it right on Windows 10 64bit? I need a callback that is called 100% after the EPROCESS is fully initialized, but __before__ the first thread of the process starts executing.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 09:50.

Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license