能力值:
( LV12,RANK:420 )
|
-
-
2 楼
NtQueryInformationThread
ThreadBasicInformation
THREAD_BASIC_INFORMATION->ClientId
|
能力值:
( LV3,RANK:20 )
|
-
-
3 楼
谢谢,不过似乎是未公开的函数,最后一个参数的结构也查不到。
看来还是多保存一份线程Id保险一点。
|
能力值:
( LV9,RANK:610 )
|
-
-
4 楼
查Native API大全嘛~
|
能力值:
( LV4,RANK:50 )
|
-
-
5 楼
用Native API 没什么问题的 2K开始 一直到WIN7 没发现什么改动
以后应该也不会有 MS 的强项就是向下兼容
到是内核结构不要乱用是真的
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
你看这个枚举 TIB 有没用
#define TIB_SIZE 0x1000
#define MIN_TIB_BASE 0x7FF00000
#define MAX_TIB_BASE 0x7FFE0000
typedef struct _TIB
{
PVOID pvExcept;
PVOID pvStackUserBase;
PVOID pvStackUserTop;
struct
{
PVOID SubSystemTib;
ULONG FilberData;
}TIB_UNION1;
PVOID pvArbitrary;
struct _TIB *pSelf;
struct
{
DWORD dwUnknow1;
DWORD dwProcessID;
DWORD dwThreadID;
DWORD dwUnknow2;
}TIB_UNION2;
PVOID *pvTLSArray;
PVOID *pProcess;
}TIB;
TIB ThreadArray[0x20] = {0};
//0012FFD4 805522FA
//0012FFD8 0012FFC8
//0012FFDC 89158530
//0012FFE0 FFFFFFFF End of SEH chain
//0012FFE4 7C839AC0 SE handler
//0012FFE8 7C817070 kernel32.7C817070
//0012FFEC 00000000
//0012FFF0 00000000
//0012FFF4 00000000
//0012FFF8 004DECA2 MySelfHo.<ModuleEntryPoint>
//0012FFFC 00000000
// 从原始文件中获取 OEP 地址
static DWORD GetOEPOffsetFromRaw(char *szRawFile)
{
DWORD dwOEPOffset = 0;
HANDLE hFile = CreateFileA(szRawFile, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL) ;
if(hFile == INVALID_HANDLE_VALUE)
return 1;
DWORD dwReadBytes = 0;
char *pReadBuffer = (char *)malloc(0x1000);
memset(pReadBuffer, 0, 0x1000);
BOOL bRead = ReadFile(hFile, pReadBuffer, 0x1000, &dwReadBytes, 0);
if(bRead)
{
DWORD dwELF = *(PDWORD)(pReadBuffer + 0x3C);
if(dwELF > 0 && dwELF < 0x1000)
{
DWORD dwPESign = *(PDWORD)(pReadBuffer + dwELF);
if(dwPESign == 0x4550)
{
dwOEPOffset = *(PDWORD)(pReadBuffer + dwELF + 0x28);
}
}
}
CloseHandle(hFile);
free(pReadBuffer);
return dwOEPOffset;
}
// 传入TIB 起始地址, 判断 pvStackUserBase - 4
static BOOL CheckMainThreadId(DWORD dwAddress, DWORD dwOEP)
{
if(*(PDWORD)(dwAddress - 0x8) != 0 && *(PDWORD)(dwAddress - 0x8) == dwOEP)
{
return 1; //此为主线程ID
}
return 0;
}
// Tib(Thread Info Block) 特征, offset 0x18 value = base, 0x24 tid
static DWORD CheckTIB(DWORD dwAddress, PDWORD pdwPEB)
{
if(dwAddress == *(PDWORD)(dwAddress + 0x18))
{
if(*pdwPEB == *(PDWORD)(dwAddress + 0x30) && *(PDWORD)(dwAddress + 0x30) != 0)
return *(PDWORD)(dwAddress + 0x24);
else if(*pdwPEB == 0 && *(PDWORD)(dwAddress + 0x30) != 0)
{
*pdwPEB = *(PDWORD)(dwAddress + 0x30);
return *(PDWORD)(dwAddress + 0x24);
}
}
return 0;
}
static DWORD EnumProcssTIB()
{
EnableDebugPrivilege( TRUE);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
DWORD nTibCnt = 0;
DWORD dwPEB = 0;
MEMORY_BASIC_INFORMATION mbi ;
ZeroMemory(&mbi,sizeof(MEMORY_BASIC_INFORMATION));
BOOL bLoop = TRUE;
BOOL bIsFind = FALSE;
mbi.BaseAddress = (LPVOID)MIN_TIB_BASE;
mbi.RegionSize = 0;
while(bLoop)
{
bLoop = VirtualQueryEx(hProcess,(LPCVOID)((DWORD)mbi.BaseAddress+(DWORD)mbi.RegionSize),&mbi,sizeof(MEMORY_BASIC_INFORMATION));
if(bLoop)
{
if(mbi.RegionSize == TIB_SIZE && mbi.Protect == PAGE_READWRITE && mbi.Type == MEM_PRIVATE)
{
DWORD dwTID = CheckTIB((DWORD)mbi.BaseAddress, &dwPEB);
if(dwTID != 0)
{
memcpy(&ThreadArray[nTibCnt++], mbi.BaseAddress, sizeof(ThreadArray));/* = dwTID*/
}
}
}
else if((DWORD)mbi.BaseAddress+(DWORD)mbi.RegionSize > MAX_TIB_BASE)
break;
else
{
bLoop = TRUE;
mbi.BaseAddress =
(PVOID)((DWORD)mbi.BaseAddress + (DWORD)TIB_SIZE);
continue;
}
}
return nTibCnt;
}
|
