The Windows kernel provides driver callback notifications to inform drivers about various system events, including the creation of new processes and threads, and the loading of new images (modules) into memory. Drivers register for these callbacks using APIs like PsSetCreateProcessNotifyRoutineEx() for process creation, PsSetCreateThreadNotifyRoutineEx() for thread creation, and PsSetLoadImageNotifyRoutine() for image load notifications.
The registrations are stored in separate tables, each holding a list
of pointers to EX_CALLBACK_ROUTINE_BLOCK structures.
EX_CALLBACK_ROUTINE_BLOCK is an undocumented structure
used to store information about registered callbacks for new process,
new thread, and load image notification.
typedef struct _EX_CALLBACK_ROUTINE_BLOCK
{
EX_RUNDOWN_REF RundownProtect;
PEX_CALLBACK_FUNCTION Function;
PVOID Context;
} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;