process exit/delete notification in a KMDF driver

Question

I need to get notification in a KMDF driver when processes go down. I do not want to use PsSetCreateProcessNotifyRoutine because that gives me notification for every process that is created or destroyed. I would like to know/get notification only when certain process ID's which i am interested in are destroyed/exit/deleted. (I don't care about process creations).

One way I thought of doing this would be to share an application created event with the driver. I will create a worker thread in the driver and make it wait on the user created event, and when the application terminates, the wait will abort. Is this a good way to know when the process is terminated/closed or are there more standard ways of doing this? I have read on some forums that sharing events is not a good idea and that i should use overlapped ioctls, but that wont work here obviously.

Answer 1

Solved: this is what I did:(My driver is a top level monolithic driver)

1. Used ZwOpenProcess with process ID to get a handle to the process.

2. Used ObReferenceObjectByHandle with the process handle to get a dispatcher object.

3. Created a System thread using PsCreateSystemThread and passed in the dispatched object.

4. Made the system thread created in the above step to wait on the dispatched object using KeWaitForSingleObject.

5. Terminated the process programmatically or caused an exception and simply closed it using the X gui button. All of them woke the system thread created.

This essentially gives me notification when processes of interest terminate.

Answer 2

Just use PsSetCreateProcessNotifyRoutine and check the ProcessId.