Skip to content

Latest commit

 

History

History
34 lines (24 loc) · 1.27 KB

README.md

File metadata and controls

34 lines (24 loc) · 1.27 KB

ProcessInfo

A small class to gather information about a Windows process, its threads and modules. It supports both x86 and x64. Gathering information from a x64 process of a WOW64 process works aswell.

It gathers information using NtQuerySystemInformation, NtQueryInformationProcess and NtQueryInformationThread.


Use SetProcess to specifie a process. The handle needs PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_QUERY_INFORMATION_LIMITED access rights. It's recommended but not mandatory to call RefreshInformation when specifying a new process.

The following process related functions are available:

  • GetPID
  • GetPEB
  • GetEntrypoint
  • IsNative
  • GetProcessInfo

Use FirstThread and NextThread to enumerate through all threads of the process. This works similar to Thread32First and Thread32Next. Alternatively use SetThread to specify a thread by its identifier.

The following thread related functions are available and will return information about the current thread:

  • GetThreadState
  • GetThreadStartAddress
  • IsThreadWorkerThread
  • IsThreadInAlertableState (this function doesn't support x64 to wow64)
  • GetThreadInfo

GetLdrEntry returns a pointer to the LDR_DATA_TABLE_ENTRY structure of the specified module in the PEB.