Location:
Search - ZwQueryObject
Search list
Description: 文件-进程关联演示程序
pjf(jfpan20000@sina.com)
1、首先使用ZwQuerySystemInformation查询所有进程句柄,
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名) 另外可用ZwQueryObject。
3、综合1,2即完成-document-related processes pjf Demonstration Program (jfpan20000@sina.com) 1, the first to use ZwQuerySystemInformation process handle all inquiries, 2, represented by the acquisition target handle information, to identify the target file. Core state procedure is relatively simple, for the user state, the use of ZwQueryInformationFile GetFileInformationByHandle with the same time, GetVolumeInformation two API gained mix (in the former Vol remove documents from the path, in the latter two volumes) Also available ZwQueryObject. 3, the completion of comprehensive 1,2
Platform: |
Size: 2271 |
Author: 周继波 |
Hits:
Description: 文件-进程关联演示程序
pjf(jfpan20000@sina.com)
1、首先使用ZwQuerySystemInformation查询所有进程句柄,
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名) 另外可用ZwQueryObject。
3、综合1,2即完成-document-related processes pjf Demonstration Program (jfpan20000@sina.com) 1, the first to use ZwQuerySystemInformation process handle all inquiries, 2, represented by the acquisition target handle information, to identify the target file. Core state procedure is relatively simple, for the user state, the use of ZwQueryInformationFile GetFileInformationByHandle with the same time, GetVolumeInformation two API gained mix (in the former Vol remove documents from the path, in the latter two volumes) Also available ZwQueryObject. 3, the completion of comprehensive 1,2
Platform: |
Size: 2048 |
Author: 周继波 |
Hits:
Description: 利用Windows的几个特性进行反测试的代码-several features of the anti-testing code
Platform: |
Size: 2048 |
Author: 王瑜与 |
Hits: