Hi,
I noticed that one can call ZwOpenProcess with ClientID that is NULL. In that case one should put the process name inside the ObjectAttributes parameter. Does anyone know what is the correct name to put? Suppose I want to open “MyApp.exe” and I know that only one instance of it is running, can I use ZwOpenProcess or do I need to use the more cumbersome (And undocmented) process enumeration method?
Thanks,
Eran.
As any other object, EPROCESS can be named. ZwCreateProcess() takes OBJECT_ATTRIBUTES parameter, so that a caller may assign a name to the process it wants to create. Please note that it has nothing to do with executable file that has been used to create a process , and, hence, is completely unrelated to the names that you see in a Process Viewer- instead, it is purely Object Manager’s stuff. All processes that are created by Win32 subsystem are not named. Therefore, your approach is not going to work with any process, apart from those that have been created as a sequence of direct calls to the native API, rather than via a call to CreateProcess()…
Anton Bassov