Zitat von
Olli:
How can you distinguish? Well, easy. You have two choices:
- Get the module
handle of the EXE and check the name for svchost.exe vs. rundll32.exe
- Check under which account you run. SYSTEM is most likely the result when running under svchost.exe
You should use this code to check for the 'System Process Context':
Delphi-Quellcode:
function IsSystemProcessContext: Boolean;
(** )
type
TLUID = LARGE_INTEGER;
TTokenStatistics = packed record
TokenId : TLUID;
AuthenticationId : TLUID;
ExpirationTime : LARGE_INTEGER;
TokenType : TTokenType;
ImpersonationLevel: TSecurityImpersonationLevel;
DynamicCharged : DWORD;
DynamicAvailable : DWORD;
GroupCount : DWORD;
PrivilegeCount : DWORD;
ModifiedId : TLUID;
end;
const
SYSTEM_LUID: LARGE_INTEGER = (LowPart: $03E7; HighPart: $0);
(**)
var
TokenHandle: THandle;
TokenInformation: TTokenStatistics;
ReturnLength: DWORD;
begin
Result := False;
if OpenProcessToken(GetCurrentProcess, TOKEN_QUERY, TokenHandle) then
try
Result := GetTokenInformation(TokenHandle, TokenStatistics,
Addr(TokenInformation), SizeOf(TTokenStatistics), ReturnLength) and
(TokenInformation.AuthenticationId.LowPart = SYSTEM_LUID.LowPart) and
(TokenInformation.AuthenticationId.HighPart = SYSTEM_LUID.HighPart);
finally
CloseHandle(TokenHandle);
end;
end;