PsSetCreateProcessNotifyRoutine.Cpp

extern "C"
{
#include <ntddk.h>
    NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
    UCHAR *PsGetProcessImageFileName( IN PEPROCESS Process );
}

VOID unload(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{//卸载会蓝屏。暂时没有解决。
    PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
}

VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
    if ( bCreate )
    {
        PEPROCESS  EProcess;
        NTSTATUS   status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
        if (!NT_SUCCESS( status ))        return ;
        UCHAR * lpCurProc = PsGetProcessImageFileName(EProcess);
        DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PARENTID: %d, ID: %d\n", lpCurProc, hParentId, PId);
        ObDereferenceObject(EProcess); //微软建议加上。
    }
    else
    {
        DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
    }
}

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drvobj , PUNICODE_STRING regpath)
{
    //_asm int 3
    drvobj->DriverUnload = (PDRIVER_UNLOAD )unload ;
    PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);  
    return STATUS_SUCCESS ;
}

/*
更多的，与此类似的还有：
CreateProcessNotifyEx（Windows Vista with (SP1), Windows Server 2008）
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
*/

///////////////////////////////////////////////////////////////////////////////////////////////////////////
//改进版的，不会引起蓝屏。
//made at 2013.05.23

#include <ntifs.h>
//#include <ntddk.h> //这两个次序不能乱(乱会出错的)，有上面的，这个可以注释掉。

UCHAR *PsGetProcessImageFileName( IN PEPROCESS Process ); //未公开的函数。

VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
    UCHAR * lpCurProc;

    if ( bCreate )
    {
        PEPROCESS  EProcess;
        NTSTATUS   status = PsLookupProcessByProcessId(PId, &EProcess);
        if (NT_SUCCESS( status ))
        {
            lpCurProc = PsGetProcessImageFileName(EProcess);
            DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PARENTID: %d, ID: %d\n", lpCurProc, hParentId, PId);
            ObDereferenceObject(EProcess); //微软建议加上。
        }
    }
    else
    {
        DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
    }
}

DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
    if (!NT_SUCCESS( status ))
    {
        DbgPrint( "PsSetCreateProcessNotifyRoutine fail %d\n", status);
        return;
    }
}

DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT  * DriverObject, __in PUNICODE_STRING  RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    BOOLEAN b = 0;

    //KdBreakPoint();//#define KdBreakPoint() DbgBreakPoint()

    DriverObject->DriverUnload = Unload;    

    status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);  
    if (!NT_SUCCESS( status ))
    {
        DbgPrint( "PsSetCreateProcessNotifyRoutine fail %d\n", status);
        return status;
    }

    return 0;//STATUS_SUCCESS
}