Ring3如何枚举已打开进程的线程？-经典问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (4)
ITSailor 雪币： 4817 活跃值： (23) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 206 粉丝 1 关注私信	ITSailor 2 楼 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); Thread32First(hSnap, ThreadEntry); Thread32Next(hSnap, ThreadEntry); 注意微软的一个说明 Includes all threads in the system in the snapshot. To enumerate the threads, see Thread32First. To identify the threads that belong to a specific process, compare its process identifier to the th32OwnerProcessID member of the THREADENTRY32 structure when enumerating the threads. 这句话的大致意思就是Thread32First和Thread32Next枚举的是整个系统的线程，如果只想获取指定进程的线程，匹配ProcessId和ThreadEntry.th32OwnerProcessID 的值就是了。微软也提供了一个代码供参考 #include <windows.h> #include <tlhelp32.h> #include <stdio.h> // Forward declarations: BOOL ListProcessThreads( DWORD dwOwnerPID ); void printError( TCHAR* msg ); void main( ) { ListProcessThreads(GetCurrentProcessId() ); } BOOL ListProcessThreads( DWORD dwOwnerPID ) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; // Take a snapshot of all running threads hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); // Fill in the size of the structure before using it. te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread, // and exit if unsuccessful if( !Thread32First( hThreadSnap, &te32 ) ) { printError( "Thread32First" ); // Show cause of failure CloseHandle( hThreadSnap ); // Must clean up the // snapshot object! return( FALSE ); } // Now walk the thread list of the system, // and display information about each thread // associated with the specified process do { if( te32.th32OwnerProcessID == dwOwnerPID ) { printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID ); printf( "\n base priority = %d", te32.tpBasePri ); printf( "\n delta priority = %d", te32.tpDeltaPri ); } } while( Thread32Next(hThreadSnap, &te32 ) ); // Don't forget to clean up the snapshot object. CloseHandle( hThreadSnap ); return( TRUE ); } void printError( TCHAR* msg ) { DWORD eNum; TCHAR sysMsg[256]; TCHAR* p; eNum = GetLastError( ); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM \| FORMAT_MESSAGE_IGNORE_INSERTS, NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default lang. sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null p = sysMsg; while( ( p > 31 ) \|\| ( p == 9 ) ) ++p; do { p-- = 0; } while( ( p >= sysMsg ) && ( ( p == '.' ) \|\| ( p < 33 ) ) ); // Display the message printf( "\n WARNING: %s failed with error %d (%s)", msg, eNum, sysMsg ); } 不过上面枚举不用打开进程，用进程ID就行。* 2013-1-31 11:22 0
silence刘雪币： 79 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 225 粉丝 0 关注私信	silence刘 3 楼楼上正解，还可以枚举dll 2013-1-31 11:38 0
iwantbmw 雪币： 102 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 100 粉丝 0 关注私信	iwantbmw 4 楼非常感谢！！！！！！！！！！！！！！！ 2013-1-31 12:07 0
cqzj70 雪币： 77 活跃值： (48) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 325 粉丝 0 关注私信	cqzj70 5 楼 mark 2014-1-16 17:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (4)
ITSailor 雪币： 4817 活跃值： (23) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 206 粉丝 1 关注私信	ITSailor 2 楼 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); Thread32First(hSnap, ThreadEntry); Thread32Next(hSnap, ThreadEntry); 注意微软的一个说明 Includes all threads in the system in the snapshot. To enumerate the threads, see Thread32First. To identify the threads that belong to a specific process, compare its process identifier to the th32OwnerProcessID member of the THREADENTRY32 structure when enumerating the threads. 这句话的大致意思就是Thread32First和Thread32Next枚举的是整个系统的线程，如果只想获取指定进程的线程，匹配ProcessId和ThreadEntry.th32OwnerProcessID 的值就是了。微软也提供了一个代码供参考 #include <windows.h> #include <tlhelp32.h> #include <stdio.h> // Forward declarations: BOOL ListProcessThreads( DWORD dwOwnerPID ); void printError( TCHAR* msg ); void main( ) { ListProcessThreads(GetCurrentProcessId() ); } BOOL ListProcessThreads( DWORD dwOwnerPID ) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; // Take a snapshot of all running threads hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); // Fill in the size of the structure before using it. te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread, // and exit if unsuccessful if( !Thread32First( hThreadSnap, &te32 ) ) { printError( "Thread32First" ); // Show cause of failure CloseHandle( hThreadSnap ); // Must clean up the // snapshot object! return( FALSE ); } // Now walk the thread list of the system, // and display information about each thread // associated with the specified process do { if( te32.th32OwnerProcessID == dwOwnerPID ) { printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID ); printf( "\n base priority = %d", te32.tpBasePri ); printf( "\n delta priority = %d", te32.tpDeltaPri ); } } while( Thread32Next(hThreadSnap, &te32 ) ); // Don't forget to clean up the snapshot object. CloseHandle( hThreadSnap ); return( TRUE ); } void printError( TCHAR* msg ) { DWORD eNum; TCHAR sysMsg[256]; TCHAR* p; eNum = GetLastError( ); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM \| FORMAT_MESSAGE_IGNORE_INSERTS, NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default lang. sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null p = sysMsg; while( ( p > 31 ) \|\| ( p == 9 ) ) ++p; do { p-- = 0; } while( ( p >= sysMsg ) && ( ( p == '.' ) \|\| ( p < 33 ) ) ); // Display the message printf( "\n WARNING: %s failed with error %d (%s)", msg, eNum, sysMsg ); } 不过上面枚举不用打开进程，用进程ID就行。* 2013-1-31 11:22 0
silence刘雪币： 79 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 225 粉丝 0 关注私信	silence刘 3 楼楼上正解，还可以枚举dll 2013-1-31 11:38 0
iwantbmw 雪币： 102 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 100 粉丝 0 关注私信	iwantbmw 4 楼非常感谢！！！！！！！！！！！！！！！ 2013-1-31 12:07 0
cqzj70 雪币： 77 活跃值： (48) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 325 粉丝 0 关注私信	cqzj70 5 楼 mark 2014-1-16 17:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复