I'm currently debugging a crash in a Windows application, and I?ve been using Strace to monitor the exact system calls being made. I've discovered that just before NtOpenKey is called to open the AeDebug registry key and generate the error message there are two calls to NtQueryInformationProcess as shown below:
NtQueryInformationProcess (-1, 7, 1239636, 4, 0)
NtQueryInformationProcess (-1, 12, 1238980, 4, 0)
As you can see the handle for these two calls is -1, which could well be the cause of the crash. I wanted to confirm this by writing a short C program that made NtQueryInformationProcess calls using a negative handle, but quickly realised I didn't know how to access system calls directly from the ntdll.dll file.
I did see the below code on one web site, but I have no idea what it means and pasting it into my program just causes a lot of errors.
// create entry point for 'NtQueryInformationProcess
CREATE_DYNFUNC_5 ( NtQueryInformationProcess,
I'd be extremely grateful if someone could tell me how to call NtQueryInformationProcess from a C program. If you want to see what I've done so far, the short program I wrote to try and call NtQueryInformationProcess is available here:
Thanks for any help you can offer.