-
PsGetCurrentProcess
https://docs.microsoft.com/zh-cn/windows-hardware/drivers/kernel/mm-bad-pointer#psgetcurrentprocess
Defined in: Ntddk.hReturns a pointer to the process of the current thread.Return valueA pointer to an opaque process object.Available starting with Windows 2000.IRQL: Any level
+ - NtCurrentProcess
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/mm-bad-pointe
ZwCurrentProcess
Defined in: Wdm.hThe ZwCurrentProcess macro returns a handle to the current process.Return valueHANDLEZwCurrentProcess returns a special handle value that represents the current process.The returned value is not a true handle, but it is a special value that always represents the current process.NtCurrentProcess and ZwCurrentProcess are two versions of the same Windows Native System Services routine. The NtCurrentProcess routine in the Windows kernel is not directly accessible to kernel-mode drivers. However, kernel-mode drivers can access this routine indirectly by calling ZwCurrentProcess.For calls from kernel-mode drivers, the Nt_Xxx_ and Zw_Xxx_ versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt_Xxx_ and Zw_Xxx_ versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.All supported operating systems.IRQL: Any level
- diff:
[popexizhi:
PsGetCurrentProcess 返回的是 value ,只不过是 当前线程所在进程的pid值;
而NtCurrentProcess返回的是handle ,当前进程的handle
这里NtCurrentProcess 还有一个对应的ZwCurrentProcess,这里的区别
参见: https://blog.csdn.net/int2e/article/details/1998833
ntdll.dll中ZwCreateFile与ntoskrnl.exe中ZwCreateFile的区别是:前者是user Mode application called,后者是Kernel Mode driver Called;
ntdll.dll中NtCreateFile与ntoskrnl.exe中NtCreateFile区别是:前者在ring3下工作,后者在ring0下工作;前者通过中断实现,后者是前者的中断处理程序
]
PS: os中ring3与ring0的区别
https://www.cnblogs.com/pcajax/archive/2011/03/16/1986407.html
没有评论:
发表评论