我用 NtCreateUserProcess 创建了进程。但我想用隐藏窗口选项创建进程。
我在 RTL_USER_PROCESS_PARAMETERS 中找到了 ShowWindowFlags 参数,当我将 SW_HIDE 传递给它们时,它不起作用。
以下代码是当前用于 NtCreateUserProcess 函数参数的代码。
RTL_CREATE_USER_PROCESS:
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
PRTL_USER_PROCESS_PARAMETERS OwnParameters = NtCurrentPeb()->ProcessParameters;
NTSTATUS status = RtlCreateProcessParametersEx(&ProcessParameters,
&ImagePath,
NULL,
PtrCurrentDirectory,
&CommandLine,
NULL,
&ImagePath,
&OwnParameters->DesktopInfo,
NULL,
NULL,
RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
if (!NT_SUCCESS(status)) {
printf("%x\n", status);
return 1;
}
PS_CREATE_INFO:
PS_CREATE_INFO CreateInfo;
RtlZeroMemory(&CreateInfo, sizeof(CreateInfo));
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;
CreateInfo.InitState.u1.s1.WriteOutputOnExit = TRUE;
CreateInfo.InitState.u1.s1.DetectManifest = TRUE;
CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics = IMAGE_FILE_DLL;
CreateInfo.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
PS_ATTRIBUTE_LIST:
PPS_ATTRIBUTE_LIST AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
RtlAllocateHeap(RtlProcessHeap(),
HEAP_ZERO_MEMORY,
AttributesSize));
AttributeList->TotalLength = AttributesSize;
ULONG N = 0;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList->Attributes[N].Size = NtImagePath.Length;
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(NtImagePath.Buffer);