The NT "reserve object"
Windows 7 introduced two new object types: UserApcReserve and IoCompletionReserve. What do these object types have in common? They’re both created using N...
Category: Programming
PAE patch updated for Windows 7
Note: An updated version for Windows 7 SP1 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Vista and 7, has...
HOWTO: Use I_QueryTagInformation
Process Explorer 12 includes a new feature whereby you can view service names associated with threads. To find out how this works, read this article by Alex Ion...
Get the image file name of any process from any user on Vista and above
On Vista and above there is an information class for NtQuerySystemInformation which I call SystemProcessImageNameInformation (88). (Note that I reverse-engineer...
Fast reader-writer lock in C
I ported my fast reader-writer lock from C# to C for Process Hacker 2. Here it is. #include <windows.h> #include <intrin.h> // Put this in a header ...
12 ways to terminate a process
TerminateProcess or NtTerminateProcess Everyone knows about TerminateProcess. You simply open a handle to the target process and call TerminateProcess. In case ...
NtQuerySystemInformation: a simple way to bypass rootkits which hide processes by hooking
You’ve probably seen code like this: NTSTATUS MyRootkitNtQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInform...
HOWTO: Implement your own NtOpenProcess in kernel-mode
Writing a system utility but annoyed by the fact that you can’t open the processes of security software and rootkits, instead receiving “Access Deni...
HOWTO: Get the command line of a process
How would you get the command line of a process? Some people have suggested that you use remote thread injection, call GetCommandLine(), then IPC the result bac...
Process Hacker
<advertisment> I’ve been working a C# program for the past 2 weeks… Process Hacker is a process viewer/manager with special features, includin...