Another question came to my mind.
I hooked NtCreateSection() (as was suggested by the guys from
www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode
(changed the SDT entry). Since currently my driver produces some debug output,
I see a query of the section for the child process each second or so and
obviously coming from the parent process. How is that? What does it mean?
Could it be that this is how the parent determines wether the child process
is still active (one of the infamous Wait* functions maybe?!).
Does anyone have some details on that?