监控下一个进程的创建过程，关键函数的执行先后关系如下： XP sp3下: 1.NtCreateProcessEx 2.NtCreateThread 3.CreateProcessNotify，调用创建进程回调函数，在PspCreateThread中调用 4.CreateThreadNotify，调用创建线程回调函数，在PspCreateThread中调用

NT/2K provides a set of APIs, known as "Process Structure Routines" [2] exported by NTOSKRNL. One of these APIs PsSetCreateProcessNotifyRoutine() offers the ability to register system-wide callback function which is call