KMDF ProcessNotifyRoutine async with PsLookupProcessByProcessId() ?

j_hoppe · November 22, 2018, 12:16pm

(First contact at that new site … but had to register again)

Short:
How to check existence of a known process after receiving a ProcessNotifyRoutine callback?

Long:
In a KMDF driverm I’ve a problem with ProcessNotifyRoutine and PsLookupProcessByProcessId()

I debugged down to this:

The driver registers a ProcessNotifyRoutine callback with PsSetCreateProcessNotifyRoutine()
an app “myProcess” is started, and connects to the driver with its ProcessID, which is saved as “myProcessId”.
… regular operation …
myProcess is killed in the Taskmanager the unfriendly way.
The ProcessNotifyRoutine gets called. It calls PsLookupProcessByProcessId(myProcessId) to check whether myProcessId is still valid.
Despite the callback was triggered by kill of myProcess, PsLookupProcessByProcessId(myProcessId) still returns an EPROCESS pointer with NT_SUCCESS.

So the driver falsly assumes myProcess is still running.
That problem came up somewhere between Win10 1803 and 1809, it worked before.

Perhaps I must interpret the PEPROCESS struct returned by PsLookupProcessByProcessId() to get info about the process status, but it is documented as “opaque”.

Thanks for caring,
Joerg, PEAK System Technik

Peter_Viscarola_OSR · November 22, 2018, 3:09pm

Hmmmm… can’t you determine that you’re being called back because of the EXIT of myProcess, and just not call PsLookupProcessById to determine if it’s still running? In other words, if you’re being called for the exit if myProcess specifically, just… skip that step?

Interesting issue, and exceptionally well described (thank you vet much for that)… but that’s all I can think of.

Peter