Ps个人认为是process security的缩写

 

PsSetCreateProcessNotifyRoutineEx相关

    if (Driver_OsVersion >= DRIVER_WINDOWS_7) {

        status = PsSetCreateProcessNotifyRoutineEx(Process_NotifyProcessEx, FALSE);
    }
#ifdef XP_SUPPORT
    else { // XP, Vista

        status = PsSetCreateProcessNotifyRoutine(Process_NotifyProcess, FALSE);
    }

  

 

PsSetCreateThreadNotifyRoutinex相关


    status = PsSetCreateThreadNotifyRoutine(Thread_Notify);

    if (NT_SUCCESS(status)) {

        Thread_NotifyInstalled = TRUE;

    } else {

        // too many notify routines are already installed in the system
        Log_Status(MSG_PROCESS_NOTIFY, 0x33, status);
        return FALSE;
    }

  

PsSetLoadImageNotifyRoutine相关

    //
    // install image notify routines
    //

    status = PsSetLoadImageNotifyRoutine(Process_NotifyImage);
    if (NT_SUCCESS(status))
        Process_NotifyImageInstalled = TRUE;
    else {
        Log_Status(MSG_PROCESS_NOTIFY, 0x22, status);
        return FALSE;
    }

  

    if (Process_NotifyImageInstalled) {

        PsRemoveLoadImageNotifyRoutine(Process_NotifyImage);
        Process_NotifyImageInstalled = FALSE;
    }