因此,为了监视和控制进程创建,我们所有要做的就是钩住这些API函数-它们无法旁路掉要创建一新进程所要执行的代码。
Therefore, in order to monitor and control process creation, all we have to do is to hook those API functions that cannot be bypassed by the code that is about to launch a new process.
这个函数在调用进程的地址空间创建一个线程。
This function creates a thread to execute within the address space of the calling process.
此函数由从托管的可执行程序集创建的进程中的加载程序调用。
This function is called by the loader in processes created from managed executable assemblies.
应用推荐