BOOL CShowCurrentProcessDlg::UpdateThreadContext(DWORD dwProcessID,DWORD dwThreadID)
{
HANDLE hThreadSnap = NULL;
BOOL bRet = FALSE;
THREAD_INFORMATION_EX tie;
DWORD dwThisThread = ::GetCurrentThreadId(); // used for not killing ourself
char Tmp[20];
int IntVar = 0;
int ThreadID;
CString mBody,mTmp;
// Take a snapshot of all threads currently in the system.
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessID);
if(hThreadSnap == INVALID_HANDLE_VALUE)
return FALSE;
// Fill in the size of the structure before using it.
tie.te32.dwSize = sizeof(THREADENTRY32);
// Walk the thread snapshot to find all threads of the process.
// If the thread belongs to the process, add its information
// to the display list.
if(Thread32First(hThreadSnap, &tie.te32))
{
do
{
//
// if the thread belongs to the given process...
//
if (tie.te32.th32OwnerProcessID == dwProcessID)
{
if(dwThreadID == tie.te32.th32ThreadID)
{
//
// get some more information about this thread
//
HANDLE hThread = ::OpenThread(THREAD_GET_CONTEXT|THREAD_QUERY_INFORMATION, FALSE, tie.te32.th32ThreadID);
if(hThread != INVALID_HANDLE_VALUE)
{
::SuspendThread(hThread); // otherwise we dont get the context
{
tie.ctx.ContextFlags = CONTEXT_FULL;
::GetThreadContext(hThread, &tie.ctx);
if( tie.ctx.Eip > 0x400000 && tie.ctx.Eip<0x500000)
{
//CS DS SS ES
mTmp.Format("CS:0x%x ", tie.ctx.SegCs);
mBody += mTmp;
//DS
mTmp.Format("DS:0x%x ", tie.ctx.SegDs);
mBody += mTmp;
//SS
mTmp.Format("SS:0x%x ", tie.ctx.SegSs);
mBody += mTmp;
//ES
mTmp.Format("ES:0x%x ", tie.ctx.SegSs);
mBody += mTmp;
mBody += "\r\n";
//EIP
mTmp.Format("EIP:0x%-15x", tie.ctx.Eip);
mBody += mTmp;
//ESP
mTmp.Format("ESP:0x%-15x", tie.ctx.Esp);
mBody += mTmp;
mBody += "\r\n";
//EAX
mTmp.Format("EAX:0x%-15x", tie.ctx.Eax);
mBody += mTmp;
//ESI
mTmp.Format("ESI:0x%-15x", tie.ctx.Esi);
mBody += mTmp;
mBody += "\r\n";
//EDI
mTmp.Format("EDI:0x%-15x", tie.ctx.Edi);
mBody += mTmp;
//EBX
mTmp.Format("EBX:0x%-15x", tie.ctx.Ebx);
mBody += mTmp;
mBody += "\r\n";
//EDX
mTmp.Format("EDX:0x%-15x",tie.ctx.Edx);
mBody += mTmp;
//ECX
mTmp.Format("ECX:0x%-15x", tie.ctx.Ecx);
mBody += mTmp;
mBody += "\r\n";
//EBP
mTmp.Format("EBP:0x%-15x", tie.ctx.Ebp);
mBody += mTmp;
SetDlgItemText(IDC_EDIT_REGISTER,mBody);
}
}
::ResumeThread(hThread);
::CloseHandle(hThread);
}
ZeroMemory(&tie, sizeof(THREAD_INFORMATION_EX));
tie.te32.dwSize = sizeof(THREADENTRY32);
}
}
}while(Thread32Next(hThreadSnap, &tie.te32));
bRet = TRUE;
}
else
bRet = FALSE; // could not walk the list of threads
// Do not forget to clean up the snapshot object.
CloseHandle(hThreadSnap);
return bRet;
}
以上是我的函数,但是Eip 总是很大总是在ntdll之类的领空,不会到400000类的用户领空?请指教?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
