我用 PsSetCreateProcessNotifyRoutine 回调监视 XXX.exe 的加载,然后通过该进程ID获取到eprocess ,但是不知道怎么才能得到该进程的基地址
下面是回调函数的代码,请问有什么办法可以
得到该进程的基地址
下面是回调函数的代码,请问有什么办法可以
得到该进程的基地址
代码:
VOID LoadExeRoutine (
IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate
)
{
PEPROCESS EProcess;
NTSTATUS status;
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
if( _stricmp((char *)((ULONG)(EProcess)+0x174),"Client.exe")==TRUE)
{
DbgPrint(("\n\n+++++++++++++++++++++++++++++++Client.exe++++++++++++++++++++++++++\n\n"));
}
}
return;
}