I wrote a script to show the second param of NtQueryInformationProcess.however,I always got wrong data,it seems like the memory wasn't freshed and what I got was old data.Here is my code:
from idaapi import *
NtQueryInformationProcess=0x7798E740
class HookNQIP(DBG_Hooks):
def dbg_bpt(self,tid,ea):
if ea==NtQueryInformationProcess:
print 'ProcessInformationClass:',hex(Dword(GetRegValue('ESP')+8))
AddBpt(NtQueryInformationProcess)
func=HookNQIP()
func.hook()
IDA 6.9 on Win10-64,thx
It's my fault to ask this question while here is an answer: IDA Python - Why My code return incorrect ESP Value?
So the solution is adding code RefreshDebuggerMemory() to fresh memory
In fact I've search word 'fresh' in idapython's docs,but there is too many things on that page so I've got nothing cause I closed that page before all the things were loaded,that's really a mistake.