커널에서 프로세서,모듈 생성알림

노트패드 실행시 다음과 같이 실행된다.

#include "ntddk.h"


void ProcessNotifyCallBackROutine(
	IN HANDLE parentid, IN HANDLE ProcessId, IN BOOLEAN Create
) {

	UNREFERENCED_PARAMETER(parentid);

	switch (Create)
	{
	case TRUE:
		DbgPrint("%d processis Create\n", ProcessId);
		break;
	case FALSE:
		DbgPrint("%d processis delteing\n", ProcessId);
		break;
	default:
		break;
	}
}

void LoadImageCallBackCallBackRoutine(
	IN PUNICODE_STRING FullmageName, IN HANDLE Processid, IN PIMAGE_INFO imageinfo
) {
	WCHAR* pwsName = NULL;

	if (FullmageName == NULL) {
		return;
	}

	pwsName = (WCHAR*)ExAllocatePool(NonPagedPool, FullmageName->Length + sizeof(WCHAR));
	memcpy(pwsName, FullmageName->Buffer, FullmageName->Length);
	pwsName[FullmageName->Length / sizeof(WCHAR)] = 0;

	DbgPrint("%d Process id %ws is loading \n", Processid, pwsName);


	ExFreePool(pwsName);

}


void MyDriverUnload(
	IN PDRIVER_OBJECT DriverObject) {


	PsSetCreateProcessNotifyRoutine(ProcessNotifyCallBackROutine, TRUE);
	PsRemoveLoadImageNotifyRoutine(LoadImageCallBackCallBackRoutine);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING registrypath) {
	
	
	KdPrint(("Driver Load \n"));

	DriverObject->DriverUnload = MyDriverUnload;

	PsSetCreateProcessNotifyRoutine(ProcessNotifyCallBackROutine, FALSE);
	PsSetLoadImageNotifyRoutine(LoadImageCallBackCallBackRoutine);
	return STATUS_SUCCESS;

}