Hi,
Like suggested in the forum I tried to use the function PsSetCreateProcessNotifyRoutine in order to have a simple table of running processes.
As expected Windows calls my function when a new process is called, but I don’t receice any call on process destroy.
Any idea about this?
Thank You,
Francesco
Did you try to check if the deleted process is really unloaded ?
Maybe the process still exist
kd> !process <process_id></process_id>
I tried the command !process <process_id>. Unfortunately the debugger complains about wrong symbols.
Anyway I checked with procexp and I cannot see the instance of the process that I assume deleted.
Also I cannot see any deleted process even when I shutdown the system.
I can understand that a process can terminate without unloading, but
I don’t think it can survive a shutdown.
My code follows.
static
CreateProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) {
if ( Create )
KDINFO(“CURRENTPROCESS: new process (%p) created\n”, ProcessId);
else
KDINFO(“CURRENTPROCESS: process (%p) deleted\n”, ProcessId);
}
NTSTATUS
CurrentProcessModInit() {
NTSTATUS Status;
Status = PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);
if ( !NT_SUCCESS(Status) ) {
KDERROR(“CURRENTPROCESS: cannot set LoadImageNotifyRoutine cause ‘%s’\n”, OsrNTStatusToString(Status));
return Status;
}
Status = PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);
if ( !NT_SUCCESS(Status) ) {
KDERROR(“CURRENTPROCESS: cannot set CreateProcessNotifyRoutine cause ‘%s’\n”, OsrNTStatusToString(Status));
return Status;
}
return STATUS_SUCCESS;
}
Any idea?
Thanks, Francesco</process_id>
>I tried the command !process <process_id>. Unfortunately the
> debugger complains about wrong symbols.
You gotta fix the symbols first. Without them,
everything printed by the debugger is just a garbage.
L.</process_id>