随笔
伪代码:
DWORD dwCreateFlagsR0,dwFlagsTmp;
dwCreateFlagsR3 &= 0xFFFF3E1F;//先屏蔽掉一些R3属性位
dwFlagsTmp = (dwCreateFlagsR3 >> 12) & 0x40;//低12位已经处理完毕了
if(!dwCreateFlagsR3 & CREATE_BREAKAWAY_FROM_JOB)
dwFlagsTmp |= 1;
if(dwCreateFlagsR3 & INHERIT_PARENT_AFFINITY)
dwFlagsTmp |= 0x100;
if(!dwCreateFlagsR3 & CREATE_SUSPENDED)
dwFlagsTmp |= 0x200;
if(dwCreateFlagsR3 & CRETAE_PROCESS || dwCreateFlagsR3 & CREATE_ONLY_THIS_PROCESS)
if(dwCreateFlagsR3==CRETAE_PROCESS)
dwFlagsTmp |= 1;
if(dwCreateFlagsR3==CREATE_ONLY_THIS_PROCESS)
dwFlagsTmp |= 2;
if(bInherit)
dwFlagsTmp |= 4;
dwCreateFlagsR0 = dwFlagsTmp;
0环CreateFlags属性位: 而且CreateFlags==CreateProcessFlags
0x1 Debug_PROCESS
0x2 DEBUG_ONLY_THIS_PROCESS
0x4 INHERIT_HANDLE
0x400 UNK 与扩展StartInfo相关