NtQueryInformationProcess
GPT The NtQueryInformationProcess function, along with the data structures it provides, are internal to Windows and can change with different versions of the operating system. To ensure your application remains compatible, it's better to use the public functions recommended in the ProcessInformationClass parameter's description.
If you still choose to use NtQueryInformationProcess, access it through run-time dynamic linking. This method allows your code to adapt if the function is altered or removed in future Windows releases. Be aware, though, that changes in the function's signature might not be detectable.
This function isn't included in any import library. To use it, you need to dynamically link to Ntdll.dll using the LoadLibrary and GetProcAddress functions.
Through official Microsoft Developer Network (MSDN).
Featured in Techniques
| Technique Name | Technique ID's | Snippet(s) | Rules(s) | OS |
|---|---|---|---|---|
| Process Argument Spoofing | U1243 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| procexp.exe | 6 | 2024-11-21 | 1 month, 4 weeks ago |
| implant.exe | 6 | 2024-11-18 | 2 months ago |
| Windows11InstallationAssistant.exe | 4 | 2024-11-15 | 2 months ago |