Hello all,
I am new to kernel driver dev and i have a question about the usage of functions like ZwCurrentProcess, PsGetCurrentThread
in kernel driver code.
The context im using it in is for PsSetCreateThreadNotifyRoutine and PsSetCreateProcessNotifyRoutine
From what i understand, there is no usermode process' context in kernel driver code. In the usage of PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine
, i can get informations about usermode process triggering theses callback routines by the definition of the callback routine itself :
void ThreadNotifyCallbackRoutine( HANDLE hProcess, HANDLE hThread, BOOLEAN bCreate)
.
Here hProcess and hThread.
But a direct call to ZwCurrentProcess, PsGetCurrentThread
functions in kernel drive code, in kindda the same way it's called in usermode, looks strange to me.
Can you explain me how kernel driver code can get usermode process context and directly use functions like ZwCurrentProcess, PsGetCurrentThread
?
Thanks you a lot