UC知道ZwCreateProcess和ZwCreateProcessEx的区别
来源:百度知道 编辑:UC知道 时间:2024/05/20 12:43:55
typedef NTSTATUS (NTAPI * ZWCREATEPROCESS)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE Inherit,
IN BOOLEAN IngeritHandle,
IN HANDLE sectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
typedef NTSTATUS (* ZWCREATEPROCESSEX)(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN HANDLE UnknownHandle //------------->多了一个参数
);
xp下,在内核,ZwCreateProcess->SSDT->NtCreateProcess->NtCreateProcessEx;
在应用层CreateProcess,WinExec,ShellExecute调用ZwCreateProcessEx进入内核,也就是说ZwCreateProcess没有用到,ZwCreateProcess应该是xp以前的系统遗留下来的API,现在似乎没用了。