Windows 64-bit system non-hook mode monitoring process creation

The following refer to the hacker line of Defense 2012 consolidated 354 pages

MSDN Quote:

The Pssetcreateprocessnotifyroutineex routine registers or removes a callback routine that notifies the caller WH En a process is created or exits.

NTSTATUS
Pssetcreateprocessnotifyroutineex (
In pcreate_process_notify_routine_ex Notifyroutine ,
In BOOLEAN Remove
);

You can register a callback function through this function to monitor the process creation. Much more convenient than hooks.

For Createprocessnotifyex:

VOID  Createprocessnotifyex (    __inout peprocess  Process,    __in HANDLE  ProcessId,    __in_opt Pps_create_notify_info  createinfo    );

Where Createinfo is

If This parameter is Non-null, a new process was being created, and Createinfo points to a ps_create_notify_info Structure that describes the new process. If This parameter was NULL, the specified process is exiting.

Empty indicates that the process exited, non-empty when the process was created. and Inside:

struct _ps_create_notify_info {  __in size_t  SIZE;  Union {    __in ULONG  Flags;     struct {      __in ULONG  1;      __in ULONG  ;};  };  __in HANDLE  parentprocessid;  Creator PID  __in client_id  creatingthreadid;   struct _file_object  *fileobject;  __in pcunicode_string  imagefilename;//is created process full path  __in_opt pcunicode_string  CommandLine;  __inout NTSTATUS  creationstatus;   *pps_create_notify_info;

Test results:

Attach the big guy's code (add some comments yourself):

//The following 2 function declarations can be usedntkernelapi PCHAR psgetprocessimagefilename (peprocess Process); Ntkernelapi NTSTATUS Pslookupprocessbyprocessid (HANDLE ProcessId, peprocess*Process); PCHAR Getprocessnamebyprocessid (HANDLE ProcessId) {NTSTATUS St=status_unsuccessful; Peprocess Processobj=NULL; PCHARstring=NULL; St= Pslookupprocessbyprocessid (ProcessId, &processobj); if(Nt_success (ST)) {string=Psgetprocessimagefilename (processobj);    Obfdereferenceobject (Processobj); }    return string;} Voidnotifycreateprocess (__inout peprocess Process,//if it is created (exited), it is the EXE name (excluding the full path) of the process being created (exited )__in HANDLE ProcessId,//If the process is created (exited), it is the PID of the process being created (exited)__in_opt Pps_create_notify_info Createinfo//If the process is created, it contains the full path name of the process being created){    if(createinfo) {//dbgprint ("param ProcessId is%d\n", ProcessId);//The process ID that was created//dbgprint ("param process is%s\n", psgetprocessimagefilename (process));Dbgprint ("%s of WHO, PID is%d create process%wz\n", Getprocessnamebyprocessid (Createinfo-parentprocessid), Createinfo-Parentprocessid, Createinfo-imagefilename); if(_STRICMP ("calc.exe", Psgetprocessimagefilename (Process)) = =0) {Dbgprint ("forbidding start calc.exe!\n"); Createinfo->creationstatus =status_access_denied; }    }    Else{dbgprint ("Process%s exit\n", Psgetprocessimagefilename (Process)); }}

Windows 64-bit system non-hook mode monitoring process creation