PsSetCreateProcessNotifyRoutineEx和PsSetLoadImageNotifyRoutine日志记录

分别使用如下方法进行回调设置：

    NTSTATUS Status = PsSetCreateProcessNotifyRoutineEx(&InjCreateProcessNotifyRoutineEx, FALSE);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }

    //加载映射
    Status = PsSetLoadImageNotifyRoutine(&InjLoadImageNotifyRoutine);
    if (!NT_SUCCESS(Status))
    {
        //失败了，取消进程的回调
        PsSetCreateProcessNotifyRoutineEx(&InjCreateProcessNotifyRoutineEx, TRUE);
    }

对于创建进程：

//进程创建
VOID InjCreateProcessNotifyRoutineEx(
    _Inout_ PEPROCESS Process,
    _In_ HANDLE ProcessId,
    _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
）
{
    if (CreateInfo)
    {
        KdPrint(("[Procss] %wZ\n", CreateInfo->ImageFileName));
        }
}

对于Image加载:

//映像加载
VOID InjLoadImageNotifyRoutine(
    _In_opt_ PUNICODE_STRING FullImageName,
    _In_ HANDLE ProcessId,
    _In_ PIMAGE_INFO ImageInfo
)
{
    KdPrint(("[img]%wZ %d,%p\n", FullImageName, (ULONG)(ULONG_PTR)ProcessId, ImageInfo));
}

以打开一个记事本为例，输出日志如下：

[Procss] \??\C:\Windows\system32\notepad.exe
[img]\Windows\System32\policymanager.dll 4732,FFFFD280A58E5AB8
[img]\Device\HarddiskVolume4\Windows\System32\notepad.exe 2264,FFFFD280A69976C0
[img]\Windows\System32\deviceaccess.dll 332,FFFFD280A528E6F8
[img]\SystemRoot\System32\ntdll.dll 2264,FFFFD280A69976C0
[img]\Windows\System32\aepic.dll 332,FFFFD280A528E6F8