Ps个人认为是process security的缩写
PsSetCreateProcessNotifyRoutineEx相关
if (Driver_OsVersion >= DRIVER_WINDOWS_7) {
status = PsSetCreateProcessNotifyRoutineEx(Process_NotifyProcessEx, FALSE);
}
#ifdef XP_SUPPORT
else { // XP, Vista
status = PsSetCreateProcessNotifyRoutine(Process_NotifyProcess, FALSE);
}
PsSetCreateThreadNotifyRoutinex相关
status = PsSetCreateThreadNotifyRoutine(Thread_Notify);
if (NT_SUCCESS(status)) {
Thread_NotifyInstalled = TRUE;
} else {
// too many notify routines are already installed in the system
Log_Status(MSG_PROCESS_NOTIFY, 0x33, status);
return FALSE;
}
PsSetLoadImageNotifyRoutine相关
//
// install image notify routines
//
status = PsSetLoadImageNotifyRoutine(Process_NotifyImage);
if (NT_SUCCESS(status))
Process_NotifyImageInstalled = TRUE;
else {
Log_Status(MSG_PROCESS_NOTIFY, 0x22, status);
return FALSE;
}
if (Process_NotifyImageInstalled) {
PsRemoveLoadImageNotifyRoutine(Process_NotifyImage);
Process_NotifyImageInstalled = FALSE;
}