PsSetCreateProcessNotifyRoutinePsSetCreateProcessNotifyRoutine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. NTSTATUS PsSetCreateProcessNotifyRoutine( IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOLEAN Remove ); ParametersNotifyRoutine Specifies the entry point of a caller-supplied process-creation callback routine. Remove Indicates whether the routine specified by NotifyRoutine should be added to or removed from the system's list of notification routines. If FALSE, the specified routine is added to the list. If TRUE, the specified routine is removed from the list. Include ntddk.h
2.可以用Toolhelp定时的枚举进程列表。
PsSetCreateProcessNotifyRoutine(
IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
IN BOOLEAN Remove
);
ParametersNotifyRoutine
Specifies the entry point of a caller-supplied process-creation callback routine.
Remove
Indicates whether the routine specified by NotifyRoutine should be added to or removed from the system's list of notification routines. If FALSE, the specified routine is added to the list. If TRUE, the specified routine is removed from the list. Include
ntddk.h
你可以拦截以下