With regard to clearing the thread to create a monitoring routine, I have asked in Shuimu Tsinghua.
At that time, the 2K source code seems to have been coming out of Hack, but the master is a master, see this answer:
Article Source: Shuimu Tsinghua
Sender: Soycola (Sauce Coke), Letter Area: MSDN
Title: Re: Question about PSSetCreatethreadNotifyRoutine
Sending station: BBS Shuimu Tsinghua Station (Mon Nov 24 22:53:32 2003), transfer
This is indeed more strange, then this may be, for 2000,
Principle: PSSetCreatethreadNotifyRoutine is returned
EDX = ECX * 4 PSPCREATTHREADNOTIFYROUTINE, you
Analyze Ntoskrnl know.
/ *
Demo code of psremovethreadNotifyProc ()
By soycola@smth.org
* /
DWORD Install_Hook (Proc P)
{
DWORD COOKIE;
__ASM {
Push P
Call PssetCreatethreadNotifyRoutine
OR EAX, EAX
JNZ __failed
Lea Eax, [EDX-ECX * 4]
Mov cookie, EAX
JMP __Next
__failed:
XOR EAX, EAX
Mov cookie, EAX
__next:
}
Return cookie;
}
Bool Remove_Hook (DWORD Cookie, Proc PP)
{
INT I;
Proc * P;
BOOL R = FALSE;
KeraiseiRQL (Dispatch_level, & oldirql);
For (i = 0, p = (proc *) cookie; i <8; i , p ) {
IF (* p == pp) {
* p = 0;
r = true;
Break;
}
}
KELOWERIRQL (Oldirql);
Return R;
}
int main ()
{
DWORD COOKIE;
Cookie = install_hook (p);
// do some-think
// ....
REMOVE_HOOK (Cookie, P);
Return 0;
}
[In the masterpiece of ZZZEVAZZZ (primary machine, the aircraft!) Mentioned:]
: How to cancel the callback function registered by PSSetCreateThreadNotifyRoutine ()?
: For pssetcreateprocessNotifyROUTINE (
: In pcreate_process_notify_routine notifyroutine,
: In Boolean Remove
:);););
: But pssetcreatethreadNotifyRoutine
: In pcreate_thread_notify_routine notifyroutine
:);););
: There is only one parameter.
: How to cancel?
: ...................
