[R00tKit]

i hook one service in SSDT for example ZwCreateFile , i use ioctl to send my Desired PID ( notepad.exe ) to kernel mode and use PsGetCurrentProcessId in my faked function to figure out Whether my Desired process (notepad.exe) Call the hook service , is any other method to find current(caller) process name?
and

Code: Select all

if(myPEID==PsGetCurrentProcessId  ())

when above if is true notify my user mode process ( process load driver and send IOCTL ) to call one function how?


i think will use Event

[EP_X0FF]

Filters: User / Kernel Communication Model

[Alex]

To obtain an image name of a current process you can use PsGetProcessImageFileName(PsGetCurrentProcess()); And to notify user mode thread you can use events - Sharing Is Caring - Sharing Events Between Kernel-User Mode with combination of named section objects (if you need share some data) - How To Share Memory Between User Mode and Kernel Mode, Shared Memory – BTW User-Mode and Kernel-Mode (Section Object).