I have a developed a driver that monitors process creation using PsSetLoadimageNotifyRoutine.
If some driver was to create a process using ZwCreateProcess, will the callback associated with the PsSetLoadImageNotifyRoutine be invoked???
Yes.
xxxxx@patni.com wrote: I have a developed a driver that monitors process creation using PsSetLoadimageNotifyRoutine.
If some driver was to create a process using ZwCreateProcess, will the callback associated with the PsSetLoadImageNotifyRoutine be invoked???
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Get your email and more, right on the new Yahoo.com
yes, the PsSetLoad routines invoke their callbacks when an executable is
mapped into memory for execution.
m.
xxxxx@patni.com wrote:
I have a developed a driver that monitors process creation using PsSetLoadimageNotifyRoutine.
If some driver was to create a process using ZwCreateProcess, will the callback associated with the PsSetLoadImageNotifyRoutine be invoked???
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer