how to detect parent to child process relationship in ObRegisterCallbacks pre-operation-callback

hi guys,
writing my first driver that uses “ObRegisterCallbacks” to intercept handle creation attempts to my process.
but when my process is created the creator also “creates” (it did call CreateProcess :dizzy: ) a handle to my process which triggers a false alert.

is there any-way to detect that the handle creation is from the “parent” process so i can make my alerting code ignore it?

thanks in advance :slight_smile:

Hi , you can use PsSetCreateProcessNotifyRoutine routine for notify process creation and exit, in this routine you can find the parent and child process id Separately And you do not need to calculate these IDs, These IDs exist in PCREATE_PROCESS_NOTIFY_ROUTINE structure,

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine

1 Like