4

I recently started looking into the topics of Pico processes (see here and here). I also started reading the Windows Internals 7th Edition Part 1 book.

As stated in the book, currently there is no API available for creating custom Pico processes and providers. However, I thought it would be possible to create a Pico process or provider from within a kernel driver, since the definition of a Pico process is declared as:

[...] the idea of a Pico provider is defined, which is a custom kernel-mode driver that receives access to specialized kernel interfaces through the PsRegisterPicoProvider API. - Windows Internals 7th Edition Part 1, p. 68

Unfortunately when creating a new kernel-mode driver in Visual Studio 2015 just like described here, there doesn't seem to be any available headers or interfaces which allow creating Pico processes and providers. I only seem to be able to write other kind of KMDF projects.

Is there currently any way for developers to create and test custom Pico processes and providers in Windows?

CRoemheld
  • 889
  • 7
  • 26

1 Answers1

3

Martin Hron wrote a little experiment with Pico Providers a couple years ago. In it, he included some assembly references, header files, and external C interfaces that included a driver for a Pico Process monitor tool. I'm not sure if his code still works, but it can give you an insight into which headers and structs that you'd need to interface with.

https://github.com/thinkcz/pico-toolbox

YMMV.

Sienna
  • 1,570
  • 3
  • 24
  • 48