[求助]枚举进程所有线程的一个蓝屏信息-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
ImHolly 雪币： 412 活跃值： (30) 能力值： ( LV5，RANK：70 ) 在线值：发帖 6 回帖 293 粉丝 1 关注私信	ImHolly 1 2 楼调试的时候看下Entry里面的值就知道了 2010-8-27 22:16 0
wykkx 雪币： 55 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 40 回帖 87 粉丝 0 关注私信	wykkx 3 楼谢谢楼上我看了里面的值是有的地方是无效地址，经过我的修改，之前的地方不蓝屏了但是又有了新的问题，比如杀一个电驴的进程程序单步运行可以把电驴的界面杀掉，但是后台进程仍在，且如果不单步运行，就会蓝屏。附改进后的代码，求教各位。小弟搞了好几天了， PETHREAD NTAPI GetNextProcessThread( IN PEPROCESS Process, IN PETHREAD Thread OPTIONAL ) { PETHREAD FoundThread = NULL; PLIST_ENTRY ListHead, Entry; KSPIN_LOCK QLock; KIRQL oldirql; //PAGEDCODE KeInitializeSpinLock(&QLock); KeAcquireSpinLock(&QLock, &oldirql); // KeEnterCriticalRegionThread(&Thread->Tcb); if (Thread) { Entry = (PLIST_ENTRY)((ULONG)(Thread)+uThreadListEntryOffset); if (MmIsAddressValid(Entry)) { Entry=Entry->Flink; } } else { Entry = (PLIST_ENTRY)((ULONG)(Process)+uThreadListHeadOffset); if (MmIsAddressValid(Entry)) { Entry = Entry->Flink; } } ListHead = (PLIST_ENTRY)((ULONG)Process + uThreadListHeadOffset); while (ListHead != Entry) { FoundThread = (PETHREAD)((ULONG)Entry - uThreadListEntryOffset); if (MmIsAddressValid(FoundThread)) { if (ObReferenceObject(FoundThread)) //Entry = Entry->Flink; break; }else { FoundThread = NULL; if (MmIsAddressValid(Entry)) { Entry = Entry->Flink; } break; //Entry = Entry->Flink; } //if (MmIsAddressValid(Entry)) //{ //Entry = Entry->Flink; //} } KeReleaseSpinLock(&QLock, oldirql); //Entry = Entry->Flink; if (Thread&&MmIsAddressValid(Thread)) ObDereferenceObject(Thread); return FoundThread; } 外边的调用是： __try { for(Thread = GetNextProcessThread(pObjEpro,NULL); MmIsAddressValid(Thread); //Thread != NULL; Thread = GetNextProcessThread(pObjEpro, Thread)) { Status = (NTSTATUS)(PspTerminateThreadByPt)(Thread,0); } // __asm int 3 } __except(EXCEPTION_EXECUTE_HANDLER) { } 2010-8-30 08:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
ImHolly 雪币： 412 活跃值： (30) 能力值： ( LV5，RANK：70 ) 在线值：发帖 6 回帖 293 粉丝 1 关注私信	ImHolly 1 2 楼调试的时候看下Entry里面的值就知道了 2010-8-27 22:16 0
wykkx 雪币： 55 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 40 回帖 87 粉丝 0 关注私信	wykkx 3 楼谢谢楼上我看了里面的值是有的地方是无效地址，经过我的修改，之前的地方不蓝屏了但是又有了新的问题，比如杀一个电驴的进程程序单步运行可以把电驴的界面杀掉，但是后台进程仍在，且如果不单步运行，就会蓝屏。附改进后的代码，求教各位。小弟搞了好几天了， PETHREAD NTAPI GetNextProcessThread( IN PEPROCESS Process, IN PETHREAD Thread OPTIONAL ) { PETHREAD FoundThread = NULL; PLIST_ENTRY ListHead, Entry; KSPIN_LOCK QLock; KIRQL oldirql; //PAGEDCODE KeInitializeSpinLock(&QLock); KeAcquireSpinLock(&QLock, &oldirql); // KeEnterCriticalRegionThread(&Thread->Tcb); if (Thread) { Entry = (PLIST_ENTRY)((ULONG)(Thread)+uThreadListEntryOffset); if (MmIsAddressValid(Entry)) { Entry=Entry->Flink; } } else { Entry = (PLIST_ENTRY)((ULONG)(Process)+uThreadListHeadOffset); if (MmIsAddressValid(Entry)) { Entry = Entry->Flink; } } ListHead = (PLIST_ENTRY)((ULONG)Process + uThreadListHeadOffset); while (ListHead != Entry) { FoundThread = (PETHREAD)((ULONG)Entry - uThreadListEntryOffset); if (MmIsAddressValid(FoundThread)) { if (ObReferenceObject(FoundThread)) //Entry = Entry->Flink; break; }else { FoundThread = NULL; if (MmIsAddressValid(Entry)) { Entry = Entry->Flink; } break; //Entry = Entry->Flink; } //if (MmIsAddressValid(Entry)) //{ //Entry = Entry->Flink; //} } KeReleaseSpinLock(&QLock, oldirql); //Entry = Entry->Flink; if (Thread&&MmIsAddressValid(Thread)) ObDereferenceObject(Thread); return FoundThread; } 外边的调用是： __try { for(Thread = GetNextProcessThread(pObjEpro,NULL); MmIsAddressValid(Thread); //Thread != NULL; Thread = GetNextProcessThread(pObjEpro, Thread)) { Status = (NTSTATUS)(PspTerminateThreadByPt)(Thread,0); } // __asm int 3 } __except(EXCEPTION_EXECUTE_HANDLER) { } 2010-8-30 08:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复