determining exit code of a process from a dll in that process
-
I've got a DLL that is injected into every process in my system. Among other things, it does a bit of process monitoring. As part of that, I'd like to track the exit code of each process. DllMain with a reason code of DLL_PROCESS_DETACH enables me to tell if the process is exiting nicely or not via the value of the reserved parameter. I'm obviously interested in the not nice case. Calling GetExitProcessCode isn't useful because the process has not completely exited yet and the code isn't available until it's truly dead . I know that for DLL_PROCESS_ATTACH, the reserved value is actually a CONTEXT pointer. Is there something similar for the _DETACH case - in other words, what does the reserved parameter point to? I'm hoping that it points to something that I can use to see what that exit code is - the system knows what it is since the process is in the act of exiting, but there isn't an API to get it. Any ideas? Thanks, Judy
Be wary of strong drink. It can make you shoot at tax collectors - and miss. Lazarus Long, "Time Enough For Love" by Robert A. Heinlein
-
I've got a DLL that is injected into every process in my system. Among other things, it does a bit of process monitoring. As part of that, I'd like to track the exit code of each process. DllMain with a reason code of DLL_PROCESS_DETACH enables me to tell if the process is exiting nicely or not via the value of the reserved parameter. I'm obviously interested in the not nice case. Calling GetExitProcessCode isn't useful because the process has not completely exited yet and the code isn't available until it's truly dead . I know that for DLL_PROCESS_ATTACH, the reserved value is actually a CONTEXT pointer. Is there something similar for the _DETACH case - in other words, what does the reserved parameter point to? I'm hoping that it points to something that I can use to see what that exit code is - the system knows what it is since the process is in the act of exiting, but there isn't an API to get it. Any ideas? Thanks, Judy
Be wary of strong drink. It can make you shoot at tax collectors - and miss. Lazarus Long, "Time Enough For Love" by Robert A. Heinlein
Hi Judy, I know that if you call NtQueryInformationProcess with the PROCESSINFOCLASS of ProcessBasicInformation on a normally executing process... the ExitStatus member of the PROCESS_BASIC_INFORMATION struct should always return 0x103 which is STATUS_PENDING. You could try checking this value during DLL_PROCESS_DETACH, it should be safe to make calls into NTDLL. I cannot remember off the top of my head when ntoskrnl sets this exit code value during process termination so it may not be changed yet. I'm not in my normal office so I cannot test this. Let me know how it turns out. Best Wishes, -David an eluDe