[Carlbyte]

Is there a documented way to monitor APC messages and context switch? Currently I do this using the hook procedure, but I wonder if there is a callback function that does this monitoring.

something like "CmRegisterCallback" routine to monitor the registry.

[EP_X0FF]

Is there a documented way to monitor APC messages and context switch? Currently I do this using the hook procedure, but I wonder if there is a callback function that does this monitoring.

something like "CmRegisterCallback" routine to monitor the registry.

Do you mean something like KiSwapContextCallback?
You have only a system information subset here.

What about APC, well Windows doesn't have even a way to simple query if thread is alertable (maybe some undocumented stuff released in Win8.1, didn't checked), not documented or semi-documented, except direct access to ETHREAD->KTHREAD->Alertable from KM.

All these are hacks, so hook and enjoy.

[Vrtule]

Hello,

if you are interested in monitoring normal user APCs targetted at certain application, you can hook ntdll!KiUserApcDispatcher in its address space.

[Carlbyte]

Thanks guys ...

I read something about problems trying to hook in new versions of windows. Something about microsoft have created a tool to monitor the system and overturn drivers that make hook. How is this issue?

[Vrtule]

Thanks guys ...

I read something about problems trying to hook in new versions of windows. Something about microsoft have created a tool to monitor the system and overturn drivers that make hook. How is this issue?

This mechanism is called Patchguard and is present since Windows XP x64 on all 64-bit versions of Windows. It is looking for modifications made in certain driver (ntoskrnl.exe, ntfs.sys...) and data structures (SSDT, IDT, GDT...). When it detects such a modification a BSOD occurr.

Although it prevents code modifications, you can still be able to modify global variables of a driver that is under monitoring. Perhaps, some of them are monitored too, but not all of them.