Re: Process Validation
- From: Mark Roddy <markr@xxxxxxxxxxxxxx>
- Date: Sun, 23 Jul 2006 12:03:34 -0400
On Sat, 22 Jul 2006 21:58:01 -0700, L. Spiro
<LSpiro@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I am using KeStackAttachProcess() to go to the context of my own and
sometimes another process?s RAM.
In the case of the other process, it can happen that the process closes
while I am about to read from it, causing my program to lock up, and it can?t
even be End-Task?ed.
I start with a valid EPROCESS structure for the target process, but between
passing it through DeviceIoControl() to KeStackAttachProcess(), the process
closes and the structure is no longer valid, causing the infinite failure.
It is my understanding that once inside KeStackAttachProcess(), the process
can not close (fully) until I leave it, so the EPROCESS must remain valid for
that time.
Therefore, my problem exists just before entering KeStackAttachProcess().
How can I avoid this problem?
How can I lock a process so that it can not close just before I go into it
with KeStackAttachProcess()?
You need to reference the process object so that it cannot close. Use
ObReferenceObjectByPointer on the Eprocess object.
It would also help if I can detect the closing of the application more
quickly/accurately.
Is the only way to do this by setting a hook on ZwTerminateProcess()?
Yes. Use PsSetCreateProcessNotifyRoutine to set up a supported
callback routine for process creation/deletion events. This gives you
the PID.
=====================
Mark Roddy DDK MVP
Windows Vista/2003/XP/2000 Consulting
Device and Filesystem Drivers
Hollis Technology Solutions 603-321-1032
www.hollistech.com
.
- Prev by Date: Re: problem compiling sample drivers
- Next by Date: Re: Address Verification
- Previous by thread: NDIS IM - problems with NdisSend
- Next by thread: Re: Process Validation
- Index(es):
Relevant Pages
|
