windowskernel

PsSetCreateProcessNotifyRoutineEx vs PsSetCreateProcessNotifyRoutine


PsSetCreateProcessNotifyRoutineEx is returning successfully, however whenever a new process is created, the callback function CreateProcessNotifyEX isn't being called. On the otherhand if I were to use PsSetCreateProcessNotifyRoutine instead, the callback function CreateProcessNotify would be called. Why is it that when I replace PsSetCreateProcessNotifyRoutine with PsSetCreateProcessNotifyRoutineEx and CreateProcessNotify with CreateProcessNotifyEx does the OS seem to not notify my kernel driver when a new Process is about to be created?

This Code right now is based off of memory as I'm home right now.

**Class.cpp:**    
Class::Class{   
//Other Person's Code    
PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEX, FALSE);    
//More of Other People's Code    
}


void Class::(PEPROCESS Process, HANDLE ProcessID, PPS_CREATE_INFO CreateInfo){
//Code that never occurs (breakpoint doesn't arrive)
}

**Class.h**    
(Library is included because code originally used PsSetCreateProcessNotifyRoutine)    

void CreateProcessNotifyEx(PEPROCESS Process, HANDLE ProcessID, PPS_CREATE_INFO CreateInfo);    

Solution

  • The documentation for PsSetCreateProcessNotifyRoutineEx states that the module containing the callback must have the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag set in the PE header. Not having that flag will cause the API to return STATUS_ACCESS_DENIED.

    IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY:

    Code integrity checks are forced. If you set this flag and a section contains only uninitialized data, set the PointerToRawData member of IMAGE_SECTION_HEADER for that section to zero; otherwise, the image will fail to load because the digital signature cannot be verified.

    Use the linker's /INTEGRITYCHECK switch to enable.