swwwolf/CreateProcessNotify.c

## CreateProcessNotify.c
typedef NTSTATUS (NTAPI* PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC)(
    IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
    IN BOOLEAN Remove);

NTSTATUS SetCreateProcessNotifyRoutine(VOID) {
    NTSTATUS                               status;
    UNICODE_STRING                         szCreateProcessEx = { 0 };
    PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC pCreateProcessEx  = NULL;

    PAGED_CODE();

    RtlInitUnicodeString(&szCreateProcessEx, L"PsSetCreateProcessNotifyRoutineEx");
    pCreateProcessEx = (PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC)MmGetSystemRoutineAddress(&szCreateProcessEx);

    if ( pCreateProcessEx )
        status = pCreateProcessEx(CreateProcessNotifyRoutineEx, FALSE);
    else
        status = PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);

    return status;
}

VOID CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) {
    PAGED_CODE();
    KdPrint(("CreateProcessNotifyRoutine called with ParentId = 0x%08X, ProcessId = 0x%08X, Create = %d\n", ParentId, ProcessId, Create));
}

VOID CreateProcessNotifyRoutineEx(__inout PEPROCESS Process, __in HANDLE ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo) {
    PAGED_CODE();
    KdPrint(("CreateProcessNotifyRoutineEx called with Process = 0x%08X, ProcessId = 0x%08X\n", Process, ProcessId));
}
	typedef NTSTATUS (NTAPI* PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC)(
	IN PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine,
	IN BOOLEAN Remove);

	NTSTATUS SetCreateProcessNotifyRoutine(VOID) {
	NTSTATUS status;
	UNICODE_STRING szCreateProcessEx = { 0 };
	PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC pCreateProcessEx = NULL;

	PAGED_CODE();

	RtlInitUnicodeString(&szCreateProcessEx, L"PsSetCreateProcessNotifyRoutineEx");
	pCreateProcessEx = (PSSETCREATEPROCESSNOTIFYROUTINEEX_PROC)MmGetSystemRoutineAddress(&szCreateProcessEx);

	if ( pCreateProcessEx )
	status = pCreateProcessEx(CreateProcessNotifyRoutineEx, FALSE);
	else
	status = PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);

	return status;
	}

	VOID CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) {
	PAGED_CODE();
	KdPrint(("CreateProcessNotifyRoutine called with ParentId = 0x%08X, ProcessId = 0x%08X, Create = %d\n", ParentId, ProcessId, Create));
	}

	VOID CreateProcessNotifyRoutineEx(__inout PEPROCESS Process, __in HANDLE ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo) {
	PAGED_CODE();
	KdPrint(("CreateProcessNotifyRoutineEx called with Process = 0x%08X, ProcessId = 0x%08X\n", Process, ProcessId));
	}