-
-
[求助]驱动中如何调用NtQueryInformationProcess
-
发表于:
2008-4-26 13:13
10151
-
[求助]驱动中如何调用NtQueryInformationProcess
我想用以下代码在驱动中获得当前进程的PEB,但是每次调用NtQueryInformationProcess返回的都是0xC0000005,STATUS_ACCESS_VIOLATION ,请问要怎样才能正确的调用这个函数啊?
PROCESS_BASIC_INFORMATION ProcessBasicInfo = {0};
hCurrentProcess = ZwCurrentProcess();
Status = NtQueryInformationProcess(hCurrentProcess,
ProcessBasicInformation,
&ProcessBasicInfo,
sizeof(PROCESS_BASIC_INFORMATION),
&tmp);
if (STATUS_SUCCESS == Status)
{
KdPrint(("%ws\n",ProcessBasicInfo.PebBaseAddress->ProcessParameters->ImagePathName.Buffer));
}
else
{
KdPrint(("NtQueryFail:%lX,PEB:%p\n",Status,ProcessBasicInfo.PebBaseAddress));
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法