挂钩终止进程从它提供的手柄中获取信息 [英] Hooking TerminateProcess & Getting Info From The Handle It Supplies
问题描述
如果要停止终止进程,一种方法是挂接到TerminateProcess(或NtTerminateProcess).如果进程本身正在终止(例如,因为您关闭了其窗口),则提供给这些函数的句柄为NULL,因此您可以使用GetCurrentProcess()& GetModuleFileNameEx().由于GetCurrentProcess()返回伪句柄,因此您可以毫无问题地访问它.
If you want to stop a process from being terminated, one way is to hook into TerminateProcess (or NtTerminateProcess). If the process is terminating itself (because you closed its window, for example), the handle supplied to those functions is NULL, so you can find out what executable is being terminated using GetCurrentProcess() & GetModuleFileNameEx(). As GetCurrentProcess() returns a pseudo-handle, you can access it with no problems.
但是,如果一个进程正在终止另一个进程,则提供的句柄不为NULL.它代表进程正在终止.问题是,您无法获取有关该过程的信息.您可以简单地返回一个说拒绝访问"的代码,而不用调用原始的[Nt] TerminateProcess(),但是这样可以防止所有进程终止其他进程-这是一个坏主意.
If one process is terminating another, though, the handle supplied is not NULL. It represents the process being terminated. The problem is, you can't get information about that process. You can simply return a code saying "access denied" instead of calling the original [Nt]TerminateProcess(), but that blanket stops all processes from terminating others - which is a bad idea.
该句柄必须表示一个有效的东西,否则TerminateProcess将无法对其执行任何有用的操作-但我什至无法对其调用GetProcessId(),我得到了ERROR_INVALID_HANDLE(或ERROR_ACCESS_DENIED).我尝试了从帮助和在线收集的各种方法,包括获得调试特权(成功)和DuplicateHandle()(相同的错误)和ZwQueryInformationProcess()以获取ID(STATUS_ACCESS_DENIED).我什至无法枚举进程,因为它们返回ID,并且我无法获取ID,并且OpenProcess()总是返回新的句柄,因此我无法比较这些句柄.
The handle must represent something valid otherwise TerminateProcess wouldn't be able to do anything useful with it - but I can't even call GetProcessId() on it, I get ERROR_INVALID_HANDLE (or ERROR_ACCESS_DENIED). I've tried various methods I've collected from the help and from online, including gaining the debug privilege (success) and DuplicateHandle() (same error) and ZwQueryInformationProcess() to get the ID (STATUS_ACCESS_DENIED). I can't even enumerate processes because they return IDs, and I can't get the ID, and OpenProcess() always returns a fresh handle, so I can't compare handles.
我只能假定该句柄具有PROCESS_TERMINATE权限,而没有其他权限.我知道Vista和更高版本由于数字版权管理而保护了进程,但是我将ProcessExplorer用作豚鼠,因此它绝对不是媒体应用程序!
I can only assume the handle has PROCESS_TERMINATE right and nothing else. I know that Vista and higher have protected processes due to Digital Rights Management, but I'm using ProcessExplorer as my guinea pig so it's definitely not a media application!
有人知道我还能从该句柄中获得有关该进程终止的任何信息吗?
Does anyone know how else I might be able to get any kind of information about the process being terminated from this handle?
推荐答案
这只是一个普通的进程句柄.问题是,挂钩函数在哪个进程中执行?如果是调用过程,则该句柄可以按原样用于GetProcessId或NtQueryInformationProcess.如果没有,则需要调用DuplicateHandle将句柄复制到您的进程中.
It's just an ordinary process handle. The question is, in which process is your hook function executing? If it's the calling process, the handle can be used as-is for GetProcessId or NtQueryInformationProcess. If not, you need to call DuplicateHandle to duplicate the handle into your process.
如果您遇到访问被拒绝的错误,可能是因为进程句柄仅具有PROCESS_TERMINATE访问.在这种情况下,请使用DuplicateHandle通过PROCESS_QUERY_(LIMITED_)INFORMATION访问来重新打开"该过程.
If you're getting access denied errors, it may be because the process handle only has PROCESS_TERMINATE access. In that case, use DuplicateHandle to "re-open" the process with PROCESS_QUERY_(LIMITED_)INFORMATION access.
这篇关于挂钩终止进程从它提供的手柄中获取信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
