ObRegisterCallbacks before starting process

Hey everyone. I really interesting can I set ObRegisterCallbacks before starting process?

I mean I want to set ObRegisterCallbacks on process like application.exe but can I do it before starting process application.exe?

Well it has been years since I used ObRegisterCallbacks but you do not specify the process you are monitoring, it basically calls for all CREATES or DUPLICATES of handles of type either process or thread. So you don’t set the call on a specific process, you create a callback that has to determine if this is a process you are concerned about.

1 Like