189 8069 5689

如何根据线程号获取模块信息-创新互联

在得到线程之后,便可以通过openThread得到HANDLE,之后通过ZwQueryInformationThread获取线程信息。

创新互联公司主要从事网站建设、网站设计、网页设计、企业做网站、公司建网站等业务。立足成都服务坪山,十年网站建设经验,价格优惠、服务专业,欢迎来电咨询建站服务:18980820575

Part1 准备:

#include

#include

#include

#pragma comment(lib,"psapi.lib")

typedef enum _THREADINFOCLASS {

  ThreadBasicInformation,

  ThreadTimes,

  ThreadPriority,

  ThreadBasePriority,

  ThreadAffinityMask,

  ThreadImpersonationToken,

  ThreadDescriptorTableEntry,

  ThreadEnableAlignmentFaultFixup,

  ThreadEventPair_Reusable,

  ThreadQuerySetWin32StartAddress,

  ThreadZeroTlsCell,

  ThreadPerformanceCount,

  ThreadAmILastThread,

  ThreadIdealProcessor,

  ThreadPriorityBoost,

  ThreadSetTlsArrayAddress,

  ThreadIsIoPending,

  ThreadHideFromDebugger,

  ThreadBreakOnTermination,

  MaxThreadInfoClass

} THREADINFOCLASS;

typedef struct _CLIENT_ID {

  HANDLE UniqueProcess;

  HANDLE UniqueThread;

} CLIENT_ID;

typedef CLIENT_ID *PCLIENT_ID;

typedef struct _THREAD_BASIC_INFORMATION { // Information Class 0

  LONG   ExitStatus;

  PVOID   TebBaseAddress;

  CLIENT_ID ClientId;

  LONG AffinityMask;

  LONG Priority;

  LONG BasePriority;

} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

extern "C" LONG (__stdcall *ZwQueryInformationThread) (

  IN HANDLE ThreadHandle,

  IN THREADINFOCLASS ThreadInformationClass,

  OUT PVOID ThreadInformation,

  IN ULONG ThreadInformationLength,

  OUT PULONG ReturnLength OPTIONAL

  ) = NULL;

主函数中需要做的准备工作:

  setlocale (LC_ALL, ".ACP");

  HINSTANCE hNTDLL = ::GetModuleHandle (TEXT ("ntdll"));

  (FARPROC&)ZwQueryInformationThread  = ::GetProcAddress (hNTDLL,  "ZwQueryInformationThread");

Part 2 获取相关信息

  THREAD_BASIC_INFORMATION   tbi;

  PVOID            startaddr;

  LONG             status;

  HANDLE            thread, process;

  thread = ::OpenThread (THREAD_ALL_ACCESS, FALSE, dwThreadId);

  if (thread == NULL)

{

printf("cannot open thread handle\n");

    return FALSE;

}

status = ZwQueryInformationThread(thread,ThreadQuerySetWin32StartAddress, &startaddr, sizeof (startaddr), NULL);

  if (status < 0)

  {

    CloseHandle (thread);

printf("cannot get status1\n");

    return FALSE;

  };

  printf("线程 %08x 的起始地址为 %p\n", dwThreadId, startaddr);

  status = ZwQueryInformationThread (thread,

      ThreadBasicInformation,

      &tbi,

      sizeof (tbi),

      NULL);

  if (status < 0)

{

    CloseHandle (thread);

printf("cannot get status2\n");

    return FALSE;

};

printf("线程 %08x 所在进程ID为 %08x\n", dwThreadId, (DWORD)tbi.ClientId.UniqueProcess);

process = ::OpenProcess (PROCESS_ALL_ACCESS,

FALSE,

(DWORD)tbi.ClientId.UniqueProcess);

if (process == NULL)

{

DWORD error = ::GetLastError ();

CloseHandle (thread);

SetLastError (error);

return FALSE;

};

TCHAR modname [0x100];

::GetModuleFileNameEx (process, NULL, modname, 0x100);

printf("线程 %08x 所在进程映象为 %s\n", dwThreadId, modname);

GetMappedFileName(process,

startaddr,

modname,

0x100);

    std::string stName(pName);

std::string stModName(modname);

if(stModName.find(stName) != std::string::npos)

{

printf("线程 %08x 可执行代码所在模块为 %s\n", dwThreadId, modname);

ret = TRUE;

}

CloseHandle (process);

CloseHandle (thread);

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


当前题目:如何根据线程号获取模块信息-创新互联
转载来于:http://cdxtjz.cn/article/poded.html

其他资讯