ZwQueryInformationProcess(...,ProcessBasicInformation...) error for parent process? - NTDEV

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

果断的移动电源 · 实战网络问题排查（六） -- 利用 ...· 1 月前 ·

要出家的灭火器 · 【文章】1分钟带你了解欧拉闪电猫行车记录仪_ ...· 1 月前 ·

风流倜傥的木瓜 · Microsoft Copilot | ...· 5 月前 ·

不拘小节的吐司 · 浙江丽水市依托银行卡助农取款服务点创新推出农 ...· 6 月前 ·

买醉的凉面 · openssl的使用方法（使用openssl ...· 1 年前 ·

I need to receive ImagePathName from Process.
In my previous project I used ZwQueryInformationProcess() with ProcessBasicInformation and received name from PEB - works great.
But ZwQueryInformationProcess() was called only for current process (-1).

Currently I need receive the same for parent process which HANDLE is result of ZwOpenProcess(…) (obviously with attribute OBJ_KERNEL_HANDLE).

ZwQueryInformationProcess() returns SUCCESS and basic information, but PEB is not correct!?!

Searching our forum gives me th folowing (Anton Bassov): “PEB is user-mode structure, and, hence, may be unusable in the caller’s context - in order to make any use of it, you have to attach your thread to the address space of the target process.” ( https://www.osronline.com/showthread.cfm?link=115084 )

which means that PEB is valid only for calls inside process!?!
There is no this limitation in DDK!?!

The question: is it correct to call ZwQueryInformationProcess(…, ProcessBasicInformation,…) for parent handle?

推荐文章

果断的移动电源 · 实战网络问题排查（六） -- 利用 wireshark 排查 TCP 空窗口问题-腾讯云开发者社区-腾讯云

1 月前

要出家的灭火器 · 【文章】1分钟带你了解欧拉闪电猫行车记录仪_车家号_汽车之家

1 月前

风流倜傥的木瓜 · Microsoft Copilot | Microsoft AI

5 月前

不拘小节的吐司 · 浙江丽水市依托银行卡助农取款服务点创新推出农村多功能金融服务站

6 月前

买醉的凉面 · openssl的使用方法（使用openssl生成csr文件和私钥key文件） - 知乎

1 年前