I'm new to driver development and have been struggling with Microsoft's documentation for a while now.
I've been trying to develop a driver that detects the possibility of Process Hollowing by first detecting if a process is suspended or not, and then checking if the image is unmapped, but I can't find any way to get the flags of a process in kernel mode.
I looked into the NtQueryInformationProcess method, but it is for user mode, and if I try to use it, imports conflict with each other, since I'm using kernel and user mode imports (I believe).
The furthest I've gotten is using the CreateProcessNotifyEx routine, from which I take the PPS_CREATE_NOTIFY_INFO structure and check the Flags member, but apart from the documentation mentioning that this member is reserved and shouldn't be used, it always returns 11, implying that the Flags are the default ones when creating a process, even if I create processes with the CREATE_SUSPENDED Flag and check that these processes are suspended in the task manager.
Like I said, I'm using the CreateProcessNotifyEx and CreateProcessNotify routines to get notified of a new or exiting process.
Is there a way to do what I want in kernel mode or do I have to change the whole approach of my driver?
