Thread create messages?

[AraHaan]

So I would like to know if there is a way (as a driver) to see and detect when another process creates a thread in my process. This is for a notification to my process to update it’s internal thread counter that I put in place for the fun of it (or to tell the process to exit upon the call to CreateRemoteThread to my process).

I also would like to figure out to have my program init, and unit my driver upon closing and to feed data to/from it. If anyone here knows how that is done and how some well know online game anti-hacks do it with a dll and a device driver to detect suspicious programs running, debuggers, etc.

[wbenny]

You're probably looking for this: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine

...or "Ex" version: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutineex

[AraHaan]

Nice, thanks, now how about the process <-> driver communication?

Mainly because I would like my dll api to be able to load the driver, get it to do what it needs, then on it’s dll unload, tear down the driver.

[wumn290]

You're probably looking for this: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine

...or "Ex" version: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreatethreadnotifyroutineex

大佬， 我这边遇到了一个问题， 我用InjMethodThunk方法在win8.1的64位系统下启动不了32位进程， 你这边应该也可以重现， 大佬可以帮忙看下吗？