Re: How to get Parent Pid from Kernel Driver?
- From: "anton bassov"<xxx@xxxxxxx>
- Date: Thu, 20 Apr 2006 09:49:50 -0500
Hi mate
First of all, parent/child relationship is rather weak under Windows.
Therefore, as Skywing pointed out, PID may get re-used, so that any info
that you can obtain on the subject is not 100% reliable.
Now let's proceed to the actual task. As you can see, I often recommend
undocumented and "unsupported" things. However, using such structures as
ETHREAD and EPROCESS is not among them - as practice shows, MSFT changes
them a bit too often.
What you did is totally wrong way of doing things - a system upgrade is more
than likely to break your code. You can try to obtain a parent PID via
NtQueryInformationProcess()with infoclass ProcessBasicInformation -
InheritedFrom field of ProcessBasicInformation structure is, in actuality,
parent PID. Although NtQueryInformationProcess()is undocumented function,
such approach is much more stable than accessing EPROCESS.
Regards
Anton Bassov
.
- Follow-Ups:
- Re: How to get Parent Pid from Kernel Driver?
- From: Don Burn
- Re: How to get Parent Pid from Kernel Driver?
- From: macro
- Re: How to get Parent Pid from Kernel Driver?
- References:
- Re: How to get Parent Pid from Kernel Driver?
- From: macro
- Re: How to get Parent Pid from Kernel Driver?
- Prev by Date: Re: Re:FreeLibrary and Upcall Table
- Next by Date: Re: Calling _exit() in an UnhandledExceptionFilter()-function
- Previous by thread: Re: How to get Parent Pid from Kernel Driver?
- Next by thread: Re: How to get Parent Pid from Kernel Driver?
- Index(es):
Relevant Pages
|
