-
-
[求助][求助]关于进程创建的疑问
-
发表于: 2010-4-19 10:44
-
读CreateProcess过程中的疑问,求大牛们给指点,在NtCreateSection后,有BasepIsProcessAllowed(lpApplicationName);这个调用,不是很清楚有什么用途,Goolge出相关信息:
就一个参数为Unicode进程名字
; 其内部调用了RtlEnterCriticalSection进入临界区
; 再调用NtOpenKey打开:
; "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
; 解释:
; AppCertDlls details.
; Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
;
; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
;
; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
; 结束
; 最后调用RtlLeaveCriticalSection
能不能再详细点!
就一个参数为Unicode进程名字
; 其内部调用了RtlEnterCriticalSection进入临界区
; 再调用NtOpenKey打开:
; "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
; 解释:
; AppCertDlls details.
; Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
;
; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
;
; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
; 结束
; 最后调用RtlLeaveCriticalSection
能不能再详细点! [培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
