Windows 如何找出哪个进程发送了请求?
我正在通过ObRegisterCallbacks编写一个进程访问过滤器 OB_PREOP_CALLBACK_STATUS PreCallbackPVOID registration context,POB_PRE_OPERATION_INFORMATION pOperationInformation { 未引用的参数注册上下文; 未引用的参数操作信息; PEPROCESS OpenedProcess=PEPROCESSpOperationInformation->Object, CurrentProcess=PsGetCurrentProcess; char szProcName[16]={0,}; strcpy_sszProcName,16,DWORD64pOperationInformation->Object+iOffset.ImageFileName_off; UINT64*id=UINT64*DWORD64pOperationInformation->Object+iOffset.UniqueProcessid\u off; //p过程保护过程; //PsLookupProcessByProcessId*id,&ProtectedProcess;//使用PID获取PEPROCESS 如果!\u strnicmpszProcName,notepad.exe,16 { 如果操作信息->操作==OB\u操作\u句柄\u创建 { 如果操作信息->参数->CreateHandleInformation.OriginalDesiredAccess&PROCESS\u TERMINATE==PROCESS\u TERMINATE { pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess&=~PROCESS\u TERMINATE; } 如果操作信息->参数->CreateHandleInformation.OriginalDesiredAccess&PROCESS\u VM\u READ==PROCESS\u VM\u READ { pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess&=~PROCESS\u VM\u READ; } 如果操作信息->参数->CreateHandleInformation.OriginalDesiredAccess和PROCESS\u VM\u操作==PROCESS\u VM\u操作 { pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess&=~PROCESS\u VM\u操作; } 如果操作信息->参数->CreateHandleInformation.OriginalDesiredAccess&PROCESS\u VM\u WRITE==PROCESS\u VM\u WRITE { pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess&=~PROCESS\u VM\u WRITE; } } } 返回OB_PREOP_成功; } 如果在启动程序后启动驱动程序,则一切正常。 如果程序在驱动程序启动后启动,则程序挂起。 我假设程序本身无法获得句柄 如何找出是谁发送了请求?Windows 如何找出哪个进程发送了请求?,windows,driver,Windows,Driver,我正在通过ObRegisterCallbacks编写一个进程访问过滤器 OB_PREOP_CALLBACK_STATUS PreCallbackPVOID registration context,POB_PRE_OPERATION_INFORMATION pOperationInformation { 未引用的参数注册上下文; 未引用的参数操作信息; PEPROCESS OpenedProcess=PEPROCESSpOperationInformation->Object, CurrentP
如何找出发送请求的进程的PID?在此回调中,当前上下文是操作请求者
只需调用PsGetCurrentProcess和PsGetCurrentProcessId即可获取当前上下文的PEPROCESS和Id。我可以知道调用的是哪个驱动程序吗?`if pOperationInformation->KernelHandle{if…{/..}返回OB_PREOP_SUCCESS;}`