|
|
|
|
#1
07-26-2004, 16:14
|
|||
|
|||
|
Viasek is right: the argument DebugReadMemory (8) has been added in Windows XP platform and it is not documented. Also arguments 14-19, pointed out by Viasek, have been added in Windows XP.
If you are interested in Win2k platform, you need another way to read kernel space (driver or callgate). The "something wrong" is very interesting: I strangely cannot recreate it on my platform (Windows XP SP1), neither from Win32 console nor from Visual Studio. It is related to the way the current process id is inferred, not to the way used to retrieve the process name or the process parent! It looks like, at the moment in which the current process structure is read from kernel, the scheduler has selected another process... To avoid this, you can simply retrieve the current process id from userland: Code:
mypid = 0x7FFDE020; // &(TEB.CLIENT_ID.UniqueProcess)
mypid = *(LPDWORD)mypid;
P.S. This is my last post in this thread. I'm afraid JMI call me an FTP chaser! 
|
|
#2
07-26-2004, 16:35
|
|||
|
|||
|
Ohh!
 The Hobbits is reaching the physic hotline and sees into the future. Trouble he is and the stinking Hobbits has the precious. But the Hobbits has good information and me wants more, more, more. Regards,
__________________
JMI
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
