|
阅读:4098回复:5
hook了SSDT表的NtCreateProcess,如何得到被创建进程的信息,如PID和进程名
如题:)
|
|
最新喜欢: zhuwg
|
|
沙发#
发布于:2007-01-06 10:13
NTSYSAPI
NTSTATUS NTAPI NtCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL ); 看下原形不就知道了,原来的函数会得到什么参数,你的也能得到 |
|
|
|
板凳#
发布于:2007-01-07 12:16
为什么我定义全局变量 KeServiceDescriptorTable的时候编译连接的时候会有2个错误呢?
我是这样定义的:typedef struct ServiceDescriptorTableEntry { unsigned int *ServiceTableBase; //服务描述表 unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; //服务个数 unsigned char *ParamTableBase; //参数表 }ServiceDescriptorTableEntry,*PServiceDescriptorTableEntry; //声明全局变量 extern PServiceDescriptorTableEntry KeServiceDescriptorTable; 错误是:Linking... mxdDrv.obj : error LNK2001: unresolved external symbol "struct ServiceDescriptorTableEntry * KeServiceDescriptorTable" (?KeServiceDescriptorTable@@3PAUServiceDescriptorTableEntry@@A) Debug/mxdDrv.sys : fatal error LNK1120: 1 unresolved externals Error executing link.exe. 大哥们帮小弟下啊,这是什么原因啊? |
|
|
地板#
发布于:2007-01-08 10:38
NtCreateProcess执行时还没有PID
进程名可以从SectionHandle中顺藤摸瓜找到 |
|
|
地下室#
发布于:2007-02-01 14:35
typedef struct ServiceDescriptorTableEntry
改成其它的名字 比如 typedef struct tagServiceDescriptorTableEntry |
|
|
5楼#
发布于:2007-02-02 12:37
ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,0);
RtlUnicodeStringToAnsiString(&str,&file->FileName,1); handle---->进程filename 传给上层,再取pid就简单多了 |
|
|