模块信息不适用于 DEBUG_PROCESS
我正在尝试使用 DEBUG_PROCESS | 创建一个进程DEBUG_ONLY_THIS_PROCESS 标志。
由于某种原因,当我尝试使用“GetModuleFileNameExA”等方法时,出现“ERROR_INVALID_HANDLE”错误。
我知道我的进程句柄是正确的,但即使我像这样调用方法也会发生这种情况:
GetModuleFileNameExA(processHandle, NULL ,moduleFileName, sizeof(moduleFileName));
它应该给出进程主模块的名称。
我在 MSDN 中读到,该进程创建时需要标志:PROCESS_VM_READ 和 PROCESS_QUERY_INFORMATION,但我尝试将其与 DEBUG_PROCESS | 一起使用。 DEBUG_ONLY_THIS_PROCESS 但没有帮助。
当我将程序附加到正在运行的进程时,它工作正常。
我做错了什么?
I'm trying to create a process with DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS flags.
For some reason when I try to use method such as "GetModuleFileNameExA" I get the "ERROR_INVALID_HANDLE" error.
I know my process handle is correct, but it happens even if I call the method like so:
GetModuleFileNameExA(processHandle, NULL ,moduleFileName, sizeof(moduleFileName));
which is supposed to give the name of the main module of the process.
I read in MSDN that the flags: PROCESS_VM_READ and PROCESS_QUERY_INFORMATION are required on that process creation but I tried it together with DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS and it didn't help.
When I attach my program to a running process it works fine.
what am I doing wrong?
如果成功,CreateProcess 返回的句柄具有 PROCESS_ALL_ACCESS,因此这不是问题。
问题是,在CreateProcess之后Windows还没有执行初始化,因此没有设置模块列表。无论您使用什么接口(Toolhelp、psapi、kernel32),尝试查询调试对象的模块(甚至主模块)都会失败。
最好的办法是等待
CREATE_PROCESS_DEBUG_EVENT
然后进行查询。如果您需要加载的 DLL 的名称,则必须等待它们加载并接收
LOAD_DLL_DEBUG_EVENT
。上次我在 XP 上检查时,也无法在这里查询它们,您必须等待下一个调试事件才能获得该信息。也许求助于本机 NT API 可能会有所帮助,或者它可能会在 Vista 及更高版本上得到修复。
出于好奇,为什么在调用 CreateProcess 时明明知道模块文件名还需要模块文件名呢?
If successful, the handle returned by CreateProcess has
PROCESS_ALL_ACCESS
, so that's not the problem.What is a problem is that right after CreateProcess Windows hasn't performed initialization yet, and thus not set up the module list. Trying to query the debuggee's modules (even the main module) will fail at that point, no matter what interface you use (Toolhelp, psapi, kernel32).
Your best bet is to wait for
CREATE_PROCESS_DEBUG_EVENT
and query then.If you need names of loaded DLLs, you will have to wait for them to load and receive
LOAD_DLL_DEBUG_EVENT
. Last time I checked on XP, they cant be queried here either, you will have to wait for the next debug event for that information to be available.Maybe resorting to native NT API might help, or it might be fixed on Vista and up.
Out of curiosity, why do you need the module file name when you clearly have it when calling CreateProcess?