If I use the callback routine function, I can get information such as threads, processes, and PEPROCESS, and I think I can use it, but I don't think so. Also, isn't it easy to monitor API calls for specific processes on a kernel basis?
I tried to access the PEB structure using the user mode header in the kernel and do something about Flink in the LDR field, but BSOD appeared every time.
API calling monitoring (API hooking) are quite different from kernel callbacks . If you are just interested with R3 API calling, you can use utils such as ApiMonitor or R3 hooking engine like minhook/mhook/detours in your program. Kernel callbacks are provided by Windows kernel to notify kernel drivers of crucial behaviors, especially for antivirus solutions. Please be awared that kernel hooking is prohibited by PatchGuard.
For your second question, you need __try/__except to catch possible exceptions when accessing invalid memory. In the view of kernel, any user memory pointers are untrustworthy and unsafe, either the pointers are invalid or are not resident (paged-out).