我尝试在另一个进程上设置检测回调,但它给了我 0xc000000d (STATUS_INVALID_PARAMETER),但如果我在当前进程上设置它,那么它会成功。
有谁知道我做错了什么。
#define ProcessInstrumentationCallback 0x28
typedef struct _ProcessInstrumentationCallback
{
ULONG version;
ULONG reserved;
PVOID callback;
};
extern "C"
{
NTSTATUS NtSetInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);
}
const auto process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if (!is_handle_valid(process_handle))
{
printf("Unable to open handle: 0x%x\n", process_handle);
return 0;
}
printf("Handle: 0x%x\n", process_handle);
_ProcessInstrumentationCallback info;
info.callback = nullptr;
info.reserved = 0;
info.version = 0;
NTSTATUS status = NtSetInformationProcess(process_handle, (PROCESSINFOCLASS)ProcessInstrumentationCallback, &info, sizeof(info));
printf("0x%x\n", status);
我通过在目标进程中分配一个缓冲区并将结构写入缓冲区然后将 ProcessInformation 参数更改为指向缓冲区的指针并将 ProcessInformationLength 更改为缓冲区的大小来修复它