小菜在HOOK NtCreateProcessEx 函数时希望得到 文件名 但不知道怎么写
HOOK NtCreateProcessEx 之后 创建进程
想要输出 文件的信息 希望大神回答
在下面这个自定义的函数中 输出文件信息
NTSTATUS
MyNtCreateProcessEx(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ParentProcess,
__in ULONG Flags,
__in_opt HANDLE SectionHandle,
__in_opt HANDLE DebugPort,
__in_opt HANDLE ExceptionPort,
__in ULONG JobMemberLevel
)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("ENTER mY cREATEprocess \n \r"));
UN_PROTECT();
RtlCopyMemory((PVOID)OldNtCreateProcessEx,(CONST PVOID)bOldBytes,5);
RE_PROTECT();
status = OldNtCreateProcessEx( ProcessHandle,
DesiredAccess,
ObjectAttributes,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
JobMemberLevel);
UN_PROTECT();
RtlCopyMemory((PVOID)OldNtCreateProcessEx,(CONST PVOID)bNewBytes,5);
RE_PROTECT();
return status;
}
HOOK NtCreateProcessEx 之后 创建进程
想要输出 文件的信息 希望大神回答
在下面这个自定义的函数中 输出文件信息
NTSTATUS
MyNtCreateProcessEx(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ParentProcess,
__in ULONG Flags,
__in_opt HANDLE SectionHandle,
__in_opt HANDLE DebugPort,
__in_opt HANDLE ExceptionPort,
__in ULONG JobMemberLevel
)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("ENTER mY cREATEprocess \n \r"));
UN_PROTECT();
RtlCopyMemory((PVOID)OldNtCreateProcessEx,(CONST PVOID)bOldBytes,5);
RE_PROTECT();
status = OldNtCreateProcessEx( ProcessHandle,
DesiredAccess,
ObjectAttributes,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
JobMemberLevel);
UN_PROTECT();
RtlCopyMemory((PVOID)OldNtCreateProcessEx,(CONST PVOID)bNewBytes,5);
RE_PROTECT();
return status;
}