|
阅读:2060回复:9
靖问如何取得Eprocess Block的指针?
Win2000跟Win9x是否可用同一方法 ?
|
|
|
沙发#
发布于:2001-09-12 17:42
不能同样引用. EPROCESS是个KERNEL MODE的数据结构. 需要写成DRIVER才能访问.
|
|
|
|
板凳#
发布于:2001-09-13 11:33
那么用什么方法取得指针?
有没有涵数可用 ! |
|
|
地板#
发布于:2001-09-29 00:36
You need a KMD driver do 3 things.
1. Call IoGetCurrentProcess which returns the current *EPROCESS, this pointer reference the KM memory which is not valid to UM. 2. call ZwMapViewOfSection to map the EPROCESS struct to the user mode, you will get a section pointer. 3. in your device io control, return the section pointer to you application. in you application, typecast the section pointer to a EPROCESS pointer and manipulate it as a memory block. make sure you're in the same process context when doing this. Good luck |
|
|
|
地下室#
发布于:2001-10-01 01:37
Is there a way to get those pointer under Win9x/Win2K in
arbitrary process context? |
|
|
5楼#
发布于:2001-10-01 21:46
>> in
arbitrary process context? for NT/2000/XP once you get a eprocess struct in any context even in the DPC, I think you will be able to traverse all system processes by looking up from the "process LIST_ENTRY" field in the EPROCESS struct. It's a double linked-list. I forgot the offset of this field though. for consumer Windows(9x,me), I know nothing about them but the WDM. |
|
|
|
6楼#
发布于:2001-10-02 00:16
I got the whole picture now,thanks for the fast reply!
Your help is really priceless! :-) and thanks lu0 for this great froum !! |
|
|
7楼#
发布于:2001-10-02 17:50
我能用BSOD之方法映射IDT 到USER VM 吗?
在单CPU 计算机中有多个IDT 吗? 怎样把自己的中断例程搬入KM 呢? |
|
|
8楼#
发布于:2001-10-23 07:14
I find a site with a tool "IDT Look" and the source are as following:
http://www.wischrop-net.de/nt/main_idt.htm http://www.wischrop-net.de/download/diplom/asource.zip Hope this help !!! |
|
|
9楼#
发布于:2001-10-23 14:14
98下IDT的奥秘我主页上有.
NT下IDT可以直接搞定. 在多CPU情况下. 也可以用我主页上讲的东西搞定. 98/NT在2篇文章理. 自己找一下. |
|
|