|
|
|
|
#1
07-24-2004, 16:23
|
|||
|
|||
|
I compiled the exact code in an empty Win32 Console project running Windows XP compiled 0 errors 0 warnings. Ran without error, the results were:
mypid: 880(lsass.exe), parentpid: 824(winlogon.exe) Press any key to continue The only documentation on the structure I could find was typedef enum _DEBUG_CONTROL_CODE { DebugSysReadIoSpace = 14, DebugSysWriteIoSpace = 15, DebugSysReadMsr = 16, DebugSysWriteMsr = 17, DebugSysReadBusData = 18, DebugSysWriteBusData = 19, } DEBUG_CONTROL_CODE; Perhaps its a windows xp/2000 difference 
|
|
#2
07-24-2004, 17:44
|
|||
|
|||
|
Hi Viasek !
Something wrong here. I agree with you that the code will run well on WinXP. But the parent process display is not correct. If your app is a Win32 Console app, the parent process must be Cmd.exe if you run your app from console or Explorer.exe if you run your app from Explorer. We can use the tool Process Explorer of SysInternals to check this. Regards ! TQN
|
|
#3
07-25-2004, 03:57
|
|||
|
|||
|
From the command prompt:
Code:
C:\project\ParentID\Debug>parentid.exe mypid: 880(lsass.exe), parentpid: 824(winlogon.exe) C:\project\ParentID\Debug>parentid.exe mypid: 1492(ParentID.exe), parentpid: 284(cmd.exe) C:\project\ParentID\Debug>parentid.exe mypid: 716(ParentID.exe), parentpid: 284(cmd.exe) C:\project\ParentID\Debug>parentid.exe mypid: 384(ParentID.exe), parentpid: 284(cmd.exe) --Reopened Cmd prompt-- C:\project\ParentID\Debug>parentid mypid: 800(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 620(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 948(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1116(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1152(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1132(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1120(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 632(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 944(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1272(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 224(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1188(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1308(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1276(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1304(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 276(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1424(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1160(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1452(ParentID.exe), parentpid: 696(cmd.exe) C:project\ParentID\Debug>parentid mypid: 928(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1220(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 220(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1952(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 520(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 516(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1492(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 740(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 780(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 572(ParentID.exe), parentpid: 696(cmd.exe) C:\project\ParentID\Debug>parentid mypid: 1472(ParentID.exe), parentpid: 696(cmd.exe) Code:
mypid: 1416(ParentID.exe), parentpid: 1360(vcspawn.exe) Press any key to continue mypid: 624(devenv.exe), parentpid: 1748(explorer.exe) Press any key to continue mypid: 440(ParentID.exe), parentpid: 196(vcspawn.exe) Press any key to continue mypid: 624(devenv.exe), parentpid: 1748(explorer.exe) Press any key to continue mypid: 624(devenv.exe), parentpid: 1748(explorer.exe) Press any key to continue mypid: 1276(ParentID.exe), parentpid: 1308(vcspawn.exe) Press any key to continue mypid: 1188(ParentID.exe), parentpid: 224(vcspawn.exe) Press any key to continue
|
|
#4
07-26-2004, 16:14
|
|||
|
|||
|
Viasek is right: the argument DebugReadMemory (8) has been added in Windows XP platform and it is not documented. Also arguments 14-19, pointed out by Viasek, have been added in Windows XP.
If you are interested in Win2k platform, you need another way to read kernel space (driver or callgate). The "something wrong" is very interesting: I strangely cannot recreate it on my platform (Windows XP SP1), neither from Win32 console nor from Visual Studio. It is related to the way the current process id is inferred, not to the way used to retrieve the process name or the process parent! It looks like, at the moment in which the current process structure is read from kernel, the scheduler has selected another process... To avoid this, you can simply retrieve the current process id from userland: Code:
mypid = 0x7FFDE020; // &(TEB.CLIENT_ID.UniqueProcess)
mypid = *(LPDWORD)mypid;
P.S. This is my last post in this thread. I'm afraid JMI call me an FTP chaser!
|
|
#5
07-26-2004, 16:35
|
|||
|
|||
|
Ohh!
 The Hobbits is reaching the physic hotline and sees into the future. Trouble he is and the stinking Hobbits has the precious. But the Hobbits has good information and me wants more, more, more. Regards,
__________________
JMI
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
