-
-
[旧帖] 已解决 win8 64位,遍历指定进程的线程失败 0.00雪花
-
发表于: 2014-4-20 15:05
-
#include "stdafx.h"
#include <windows.h>
#include "NativeAPI.h"
int main()
{
//HWND hwar3 = NULL;
//hwar3 = FindWindowA(NULL,"Warcraft III");
DWORD war3PID = 0;
scanf_s("%d",&war3PID);
//GetWindowThreadProcessId(hwar3,&war3PID);
PSYSTEM_PROCESSES psp=NULL;
DWORD dwNeedSize = 0;
PVOID pBuffer = NULL;
NTSTATUS status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
if ( status == STATUS_INFO_LENGTH_MISMATCH )
{
pBuffer = malloc(dwNeedSize);
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);
if ( status == STATUS_SUCCESS )
{
psp = (PSYSTEM_PROCESSES)pBuffer;
while(1)
{
// 如果匹配,输出线程信息
if (war3PID == psp->ProcessId)
{
DWORD dwThreadCount = 0;
printf("TID 起始地址\r\n");
for (;dwThreadCount < psp->ThreadCount; dwThreadCount++)
{
DWORD dwLasterror = 0;
PVOID pStartAddress = NULL;
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, (DWORD)psp->Threads[dwThreadCount].ClientId.UniqueThread);
if (hThread != NULL)
{
ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &pStartAddress,sizeof(pStartAddress), NULL);
}
CloseHandle(hThread);
printf("%d ", psp->Threads[dwThreadCount].ClientId.UniqueThread);
printf("0x%08x\r\n", pStartAddress);
// 如何判断线程属于哪个模块
}
break;
}
if (!psp->NextEntryDelta)
{
break;
}
psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );
}
free(pBuffer);
pBuffer = NULL;
}
}
return 0;
}
NextEntryDelta 无法读取内存
求大神解释
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
