Re: How to get Parent Pid from Kernel Driver?
- From: "Don Burn" <burn@xxxxxxxxxxxxxxxx>
- Date: Thu, 20 Apr 2006 20:55:40 -0400
What you did is totally wrong way of doing things - a system upgrade is
more
than likely to break your code. You can try to obtain a parent PID via
NtQueryInformationProcess()with infoclass ProcessBasicInformation -
InheritedFrom field of ProcessBasicInformation structure is, in actuality,
parent PID. Although NtQueryInformationProcess()is undocumented function,
such approach is much more stable than accessing EPROCESS.
Actually, you cannot guarantee that the InheritedFrom field has anything to
do with the parent pid. This is the pid of the process that passed into
ZwCreateProcess for inheriting. There are cases particularily in the more
exotic third party code, where this is not the parent. This is a common
beginers mistake.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
.
- Follow-Ups:
- Re: How to get Parent Pid from Kernel Driver?
- From: anton bassov
- Re: How to get Parent Pid from Kernel Driver?
- References:
- Re: How to get Parent Pid from Kernel Driver?
- From: macro
- Re: How to get Parent Pid from Kernel Driver?
- From: anton bassov
- Re: How to get Parent Pid from Kernel Driver?
- Prev by Date: Re: How to get Parent Pid from Kernel Driver?
- Next by Date: Re: How to get Parent Pid from Kernel Driver?
- Previous by thread: Re: How to get Parent Pid from Kernel Driver?
- Next by thread: Re: How to get Parent Pid from Kernel Driver?
- Index(es):
