我编写了一个基于 wdk 样本的简单程序,该程序从转储文件中扫描内存。
现在,我想在进程运行时对其执行相同的操作,但我面临几个问题:
我不知道如何打破正在运行的进程
离开我的程序时,被调试者关闭,而我调用了 DetachProcess。
谢谢
void ApplyCommandLineArguments(void)
{
HRESULT Status;
// Install output callbacks so we get any output that the
// later calls produce.
if ((Status = g_Client->SetOutputCallbacks(&g_OutputCb)) != S_OK)
{
Exit(1, "SetOutputCallbacks failed, 0x%X\n", Status);
}
if (isDump())
{
// Everything's set up so open the dump file.
if ((Status = g_Client->OpenDumpFile(g_DumpFile)) != S_OK)
{
Exit(1, "OpenDumpFile failed, 0x%X\n", Status);
}
// Finish initialization by waiting for the event that
// caused the dump. This will return immediately as the
// dump file is considered to be at its event.
if ((Status = g_Control->WaitForEvent(DEBUG_WAIT_DEFAULT,
INFINITE)) != S_OK)
{
Exit(1, "WaitForEvent failed, 0x%X\n", Status);
}
}
else
{
if ((Status = g_Client->AttachProcess(0,GetPid(),0/*DEBUG_ATTACH_NONINVASIVE*/)) != S_OK)
{
Exit(1, "AttachProcess failed, 0x%X\n", Status);
}
}
// Everything is now initialized and we can make any
// queries we want.
}