Thread: parent?
View Single Post
  #4  
Old 07-24-2004, 15:42
TQN TQN is offline
VIP
  
Join Date: Apr 2003
Location: Vietnam
Posts: 358
Rept. Given: 143
Rept. Rcvd 24 Times in 13 Posts
Thanks Given: 196
Thanks Rcvd at 168 Times in 51 Posts
TQN Reputation: 24
Thank for your code, bilbo !

I compiled your code, run on my Win 2000 Test Server. The call ZwSystemDebugControl failed, return STATUS_INVALID_INFO_CLASS (0xc0000003). Can you explain me the meaning of "#define DebugReadMemory 8". In the book "The Win2000 Native API Reference", we only have:
typedef enum _DEBUG_CONTROL_CODE {
DebugGetTraceInformation = 1,
DebugSetInternalBreakpoint,
DebugSetSpecialCall,
DebugClearSpecialCalls,
DebugQuerySpecialCalls,
DebugDbgBreakPoint // maximize is 6
} DEBUG_CONTROL_CODE;

If I remember correctly, Kayaker have posted a method to detect parent process and number of threads uses native API in a topic on Woodmann.net. I will search again now.

Attached file is my source code and .exe of DetectOlly app, uses ToolHelp API.

Regards !
TQN
Attached Files
File Type: rar DetectOlly.rar (2.5 KB, 9 views)
Last edited by TQN; 07-24-2004 at 15:55.
Reply With Quote