Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

Process state in Notify callback

Greetings,

I'm registering a notify callback using PsSetCreateProcessNotifyRoutineEx() that is called for every process that is created in the system. I filtered only the processes that i care about, and i "post" in that callback an event to a user space thread that injects a dll to the process, and writes data to the processes virtual memory.

I needed to change the "posting" of the event from the PsSetCreateProcessNotifyRoutineEx() callback, to the PsSetImageLoadedNotifyRoutine() because the EPROCESS is not fully initialized in that phase of the process callback, so it resulted in some errors when opening a handle to the process in user space and writing to it's memory and creating remote threads.

The image loaded notify routine works perfectly on Windows 7(32, 64) and Windows 10(32), because i assume it is called after the EPROCESS is fully initialized in that phase, so performing operations on that process in userspace isn't an issue. The problem starts in Windows 10 64bit. I'm getting errors when creating a remote thread to that process when in user space(After posting an "event" from the image loaded notify routine). Some errors are "ERROR_PARTIAL_COPY", sometimes i sucessfuly inject a DLL, but when i enumerate all the DLLs in that process, i can't find my injeted dll even though it was sucessful.

Any hints on how to do it right on Windows 10 64bit? I need a callback that is called 100% after the EPROCESS is fully initialized, but __before__ the first thread of the process starts executing.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!