Yet another RtlQueryProcessDebugInformation function question


My prevision problem with the function was resolved by using late binding:
the function can be called from driver, but driver must find address of the
function in run time.
I got next situation with the function:
I can call the function to retrieve information about any running process,
but I have BSOD when I try to call the function for newly created process -
my guess that I try to retrieve modules information from new process “too
early”, i.e. before system finished to work with same data structures.

The question is - how I can know when it’s safe to call
RtlQueryProcessDebugInformation for given process?
Right now I tried to call the function in next cases:
1.When ZwCreateProcess finished it’s work with success.
2.When ZwCreateThread created primary thread for new process.
3.From work item that was created at (2).

In all cases I got BSODs…


Add photos to your e-mail with MSN 8. Get 2 months FREE*.