Hi all,
I read at DDK the following phrase about the callback routine registered
by PsSetCreateThreadNotifyRoutine:
“When it is called, the driver’s thread-creation notify routine runs at
IRQL PASSIVE_LEVEL either in the context of the newly created thread or
in the context of the exiting thread.”
So, I wrote this code to be that callback routine and several times it
stops at breakpoint:
VOID CreateThreadNotify(IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN bCreate)
{
if (PsGetCurrentThreadId() != ThreadId)
__debugbreak();
}
Should not be always the same?
Thanks in advance,
Fernando Roberto da Silva