typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
到底什么区别呢？(除了区别在于加载顺序、内存顺序、初始化顺序)

typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
  
} LDR_MODULE, *PLDR_MODULE;

因为我hook了以下函数
MyNtCreateThreadEx(
           OUT PHANDLE ThreadHandle,
           IN ACCESS_MASK DesiredAccess,
           IN PVOID ObjectAttributes OPTIONAL,
           IN HANDLE ProcessHandle,
           IN PVOID lpStartAddress,//这个!!!
           IN PVOID StartContext,//StartContext
           IN BOOL CreateSuspended,
           IN ULONG StackZeroBits,
           IN SIZE_T SizeOfStackCommit,
           IN SIZE_T SizeOfStackReserve,
           OUT PVOID lpBytesBuffer)
{
}
一个线程的lpStartAddress，要去找它属于ProcessHandle所在进程的哪个BaseAddress和（BaseAddress+SizeOfImage）之间
我该去遍历那三个链表中的哪一个链表呢？

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课