Common Process Functions

最新推荐文章于 2022-06-21 11:08:31 发布
最新推荐文章于 2022-06-21 11:08:31 发布
阅读量1.5k 收藏
点赞数
分类专栏: 点点滴滴 windows

Registry Operations:
RegOpenKey
The process opened the Registry key specified in the Path column.


RegCloseKey
The process closed the Registry key specified in the Path column.


RegQueryValue
The process queried for the value of the Registry value listed in the Path statement. The value retrieved is listed in the Detail column.


RegEnumValue
The process is querying the value names and their data for the key in the Path. You will see repeated RegEnumValue and RegQueryValue operations
until all the values under this key have been enumerated.


RegQueryKey
The process queried the Registry key listed in the Path for information about the key. This information, such as the amount of values or subkeys
underneath it, is displayed in the Detail column.


RegEnumKey
The process queried the Registry key listed in the Path for information about it’s subkeys. You will see further RegEnumKey entries until there are no
more subkeys to enumerate.


RegCreateKey
The process attempted to create the key specified in the Path column.


RegSetValue
The process created or set the data of the value in the Path column with the information from the Detail column.

 

======================================================================================

File Operations:
QueryBasicInformationFile (FASTIO_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes:
CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes


QueryStandardInformationFile(FASTIO_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes:
AllocationSize, EndOfFile, NumberOfLinks, DeletePending, Directory


QueryNameInformationFile (IRP_MJ_QUERY_INFORMATION)
The process queried the file in the Path column for one of the following attributes: FileNameLength, FileName


SetBasicInformationFile (IRP_MJ_SET_INFORMATION)
The process changed one of the following attributes in the file in the Path field:
CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes


QueryOpen (FASTIO_NETWORK_QUERY_OPEN)
Appears before each CreateFile operation, checks for file specified in the Path.


CreateFile (IRP_MJ_CREATE)
The process opened or created the file specified in the Path. Whether the file was opened or created can be determined by the Disposition value in the
Details column.


CloseFile (IRP_MJ_CLEANUP)
The process closed the file specified in the Path.


QueryDirectory (IRP_MJ_DIRECTORY_CONTROL)
The process queried the contents of the directory listed in the Path. This listing will be found in the Details column.


WriteFile (IRP_MJ_WRITE)
The process wrote data to the file specified in the Path. The location written to in the file and the amount of data is specified in the Details column.

ReadFile (IRP_MJ_READ)
The process is reading the file specified in the Path statement. The Details column will tell you how many bytes were read during this operation. You
will see more ReadFile operations until an End of File (EOF) is reached.


SetEndOfFileInformationFile (IRP_MJ_SET_INFORMATION)
The process set the offset which the file’s End of File should be set to. This value is listed in the Details column.


SetRenameFileInformationFile (IRP_MJ_SET_INFORMATION)
The process renamed the file or directory in the Path column to the file or directory found in the Details column.

 

=====================================================================================
Process Operations:
Thread Create
The process opened the Registry key specified in the Path column..


Thread Exit
The process closed the Registry key specified in the Path column.


Process Exit
The process queried for the value of the Registry value listed in the Path statement. The value retrieved is listed in the Detail column.

 

`北极星
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
在过滤驱动程序创建IRP查询文件信息
峥嵘岁月
02-04 5730
在开发Windows下文件系统过滤驱动程序时,我们经常需要先查询一下文件的属性信息,为了实现这个小目标,可以调用Windows Native API函数ZwQueryInformationFile并提供希望查询的文件信息类的名字及结构即可。不过如果我们在驱动程序当中自己处理信息查询请求,可以避免IRP重入的问题。1.自己创建文件信息查询IRPNTSTATUSQueryFileInforma
Common Functions
SpeedBoy007的专栏
03-05 875
describes the built-in common functions. These functions can be used within vertex and fragment shaders. These functions operate component-wise. Table B-3. Common Functions Syn
CommonFunction
天外有天,人外有人。 专注品质 不断创新 让精益求精成为习惯
01-05 2091
<br />using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.IO; using System.Windows.Forms; namespace Ella.ToolKit { /// <summary> /// 公共方法 /// <para/>Author : AnDequan /// <para/>Da
studio一直编译不过 com.android.ide.common.process.ProcessException
RootYxb的专栏
10-16 1392
1.File -&gt; Invalidate cache and restart 2.删除project下面的 .gradle文件,里面应该是包含了多个版本的gradle包,删除后rebuild
COMMNAD PROCESS
LMN3951的专栏
04-21 282
1.PDA 操作,send command+data----->    2000s操作,读com data ,解析命令,写入tx*.txt----->   2000s操作,发送message,给餐饮软件-----> ( 餐饮软件处理,写输入给RX*.TXT----->)  2000s操作,读RX*.TXT,解析命令,写入com
linux-get-net-packet-libpcap.rar_The Common
09-19
这是我自己实现的抓包程序,用的libpcap 库,...This is my own implementation of the capture process, using the libpcap library, functions with a lot of, at least to achieve common packet grasp and resolve.
CUDA11.0-C-Programming-Guide.pdf
最新发布
04-24
These functions provide efficient ways to perform common reduction operations like sum, max, and min. 7. **tf32, Bfloat16, and Double Precision Tensor Cores via Warp Matrix Functions API** - The ...
An Introduction to Programming with C++
01-25
Preface xiv Read This Before You Begin ...appEndix C Common Syntax errors 597 appEndix d How To Boxes 599 index 603 The answers pdf and data files can be found online at CengageBrain com Brief contents
Learning Python 5th Edition(Python学习手册,第5版,英文)
07-01
- Create and process objects with Python statements, and learn Python’s general syntax model - Use functions to avoid code redundancy and package code for reuse - Organize statements, functions, and ...
简单的恶意样本行文分析-入门篇
weixin_48421613的博客
06-21 1151
开篇引题,此篇文章为入门入门文章,里面的内容为后续软件安全分析铺垫,有点东西,但是不多,所以大家觉得有用就看一眼,觉得无用就不看哈,别喷;此类应用场景呢,其实就是恶意样本行为分析、在遇到后门、应急响应后将恶意样本拷贝走之后去做一个初步的排查,能发现样本做了些什么,他有哪些功能等等...
(转)深入理解文件操作函数native api之ZwQueryInformationFile 获取File ID
gylll的专栏
03-03 3545
http://hi.baidu.com/liushijianlu/blog/item/b104c810a08f8b28dc5401fb.html>深入理解文件操作函数native api之ZwQueryInformationFile看这个函数的名字和参数就能够知道他是干嘛用的了,但是他的作用远不止这些,这需要一些技巧和深入的理解才能有了新的思路。现在仅仅是明白了函数
Process monitor词汇汉化
qlexcel的专栏
07-20 1878
Process Monitor一款系统进程监视软件,总体来说,Process Monitor相当于Filemon+Regmon,其中的Filemon专门用来监视系统 中的任何文件操作过程,而Regmon用来监视注册表的读写操作过程。 有了Process Monitor,使用者就可以对系统中的任何文件和 注册表操作同时进行监视和记录,通过注册表和文件读写的变化, 对于帮助诊断系统故障或是
[知识小节]Process Monitor介绍
热门推荐
网络安全知识分享
03-05 1万+
Process Monitor1、工具基本介绍2、使用场景3、常见用法4、实例分析 1、工具基本介绍 Process Monitor是微软推荐的一款系统监视攻击,能供实时显示文件系统、注册表、网络连接于进程活动的攻击工具。它整合了一些工具,其中Folemon专门用来监视系统中的任何文件操作过程,Regmon用来监视注册表的读写操作过程。 Filemon:文件监视器 Regmon:注册表监视器 同时。Process Monitor增加了进程ID、用户、进程可靠度等监视项。它的强大功能足以使Process
文件系统Minifilter驱动(九)
听风
03-02 4209
六、决定一个I/O操作的Buffering方法 与设备驱动一样,文件系统负责在用户模式应用程序和一个系统的设备之间传输数据.操作系统提供了以下三种方法访问数据buffer: · 在buffered I/O方法中,I/O管理器从非分页池中为操作分配一个系统buffer.I/O管理器在发起该I/O操作的上下文中,从这个系统buffer中复制数据到应用程序的user buffer中,反之亦然.
ZwQueryVolumeInformationFileFileFsAttributeInformation
yangsongqbs的专栏
04-18 1709
这次在编写一个windows下的虚拟磁盘时,发现了一个很郁闷的问题, 在查询指定的文件句柄所在的文件系统的信息时考试报缓存区不正确 函数原型是 NTSTATUS   ZwQueryVolumeInformationFile(     IN HANDLE  FileHandle,                                       //指定的文件句柄     OU
U 盘文件监控
stecdeng的专栏
05-23 2187
很简单的一个小玩意 就是监控U盘插上后记录创建 改名字 删除操作。 不过我这个是MINIFILTER架构;并且没有通知用户层 直接在C盘目录下创建文件记录操作的。 后来改了改;用于记录某些EXE安装过程中;出现了哪些SYS文件;方便分析同我的《关于隐藏文件夹附代码》一样否是从MINIFILTER的PASSTHROUGH框架改出的在PASSTHROUGH框架上逐步添加的一些代码 1.监控U
使用NtQueryInformationFile函数获得不到完整路径
weixin_33729196的博客
01-22 371
#include <windows.h> #include <iostream> using namespace std; typedef struct _OBJECT_NAME_INFORMATION { WORD Length; WORD MaximumLength; LPWSTR Buffer; } OBJECT_NAME...
springboot 中flowable 自定义 Expression functions示例
06-09
import org.flowable.spring.boot.process.FlowableProcessProperties; import org.flowable.spring.boot.variable.FlowableVariableProperties; import org.springframework.context.annotation.Configuration; @...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值