More specifically Im looking on info for PsSetCreateProcessNotifyRoutine.
When the driver function gets notification of this, has the primary thread for the process already been created.
If so, shouldnt I be able to get the thread handle and suspend it?
any guidance woul d be grtegt.
thankls
When the driver function gets notification of this, has the primary thread for the process already been created.
If so, shouldnt I be able to get the thread handle and suspend it?
any guidance woul d be grtegt.
thankls
check this, maybe it will helps you
http://www.thecodeproject.com/threads/procmon.asp
http://www.thecodeproject.com/threads/procmon.asp
Look the Four-F ProcessMon source
http://wasm.ru/pub/21/files/kmd14.zip.
It is 100% assembly :-D
http://wasm.ru/pub/21/files/kmd14.zip.
It is 100% assembly :-D