-
-
[求助][求助]关于进程创建的疑问
-
发表于: 2010-4-19 10:44
-
读CreateProcess过程中的疑问,求大牛们给指点,在NtCreateSection后,有BasepIsProcessAllowed(lpApplicationName);这个调用,不是很清楚有什么用途,Goolge出相关信息:
就一个参数为Unicode进程名字
; 其内部调用了RtlEnterCriticalSection进入临界区
; 再调用NtOpenKey打开:
; "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
; 解释:
; AppCertDlls details.
; Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
;
; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
;
; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
; 结束
; 最后调用RtlLeaveCriticalSection
能不能再详细点!
就一个参数为Unicode进程名字
; 其内部调用了RtlEnterCriticalSection进入临界区
; 再调用NtOpenKey打开:
; "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
; 解释:
; AppCertDlls details.
; Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
;
; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
;
; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
; 结束
; 最后调用RtlLeaveCriticalSection
能不能再详细点!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
