转载请注明来源:https://www.cnblogs.com/hookjc/
#include "stdafx.h"
#include
#include
#include "Tlhelp32.h"
/*有些地址过低的枚举不到,就给出了地址对照,容错也没做怎么好*/
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef HANDLE (__stdcall *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);
typedef LONG (__stdcall *_pfnZwQueryInformationThread) (
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
OPENTHREAD OpenThread;
_pfnZwQueryInformationThread ZwQueryInformationThread;
PVOID ShowThreadInfo(DWORD tid)
{
PVOID startaddr;
HANDLE thread;
thread = OpenThread(THREAD_ALL_ACCESS,FALSE,tid);
if (thread == NULL)
return FALSE;
ZwQueryInformationThread(thread,
ThreadQuerySetWin32StartAddress,
&startaddr,
sizeof(startaddr),
NULL);
CloseHandle (thread);
return startaddr;
}
BOOL GetDebugPriv() //象征性的提权,好像行不通,出现的全是0的话可能是权限的问题吧
/*好像还不如at 19:58 /interactive c:\wt.exe这个命令好用*/
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
HANDLE hGetHandle=GetCurrentProcess();
if ( ! OpenProcessToken(hGetHandle,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{
return FALSE;
}
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
{
CloseHandle( hToken );
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL ) )
{
CloseHandle( hToken );
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
int GetModule(DWORD PID,PVOID addr,DWORD dwThreadPid);
int main()
{
GetDebugPriv();
PVOID addr;
DWORD dwThreadPid;
ZwQueryInformationThread=(_pfnZwQueryInformationThread)
GetProcAddress(LoadLibrary("ntdll.dll"), "ZwQueryInformationThread");
OpenThread=(OPENTHREAD)GetProcAddress(LoadLibrary("kernel32.dll"), "OpenThread");
//printf("请输入要枚举进程的PID:");
//scanf("%d",&PID);
HWND hwar3 = ::FindWindow("Warcraft III",NULL);
DWORD PID;
GetWindowThreadProcessId(hwar3, &PID);
HANDLE hThreadShot=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,PID);
THREADENTRY32 *threadInfo = new THREADENTRY32;
threadInfo->dwSize = sizeof(THREADENTRY32);
int i=0;
printf("线程ID 线程地址 所在模块为\n");
while(Thread32Next(hThreadShot,threadInfo)!=FALSE)
{
if(PID==threadInfo->th32OwnerProcessID)
{
i++;
addr = ShowThreadInfo(threadInfo->th32ThreadID);
dwThreadPid = threadInfo->th32ThreadID;
printf(" 0x%08x\n" ,addr);
GetModule(PID,addr,dwThreadPid);
}
}
printf("共有线程%d个\n",i);
CloseHandle(hThreadShot);
system("pause");
return 0;
}
int GetModule(DWORD PID,PVOID addr,DWORD dwThreadPid)
{
HANDLE hShot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
MODULEENTRY32 *moduleInfo = new MODULEENTRY32;
moduleInfo->dwSize = sizeof(MODULEENTRY32);
//printf("**********开始枚举模块*********\n\n");
while(Module32Next(hShot,moduleInfo) != FALSE)
{
if(((int)addr>(int)moduleInfo->modBaseAddr)&&((int)addr<((int)moduleInfo->modBaseAddr+(int)moduleInfo->modBaseSize)))
printf("%-05d 0x%08x %s\n\n",dwThreadPid,addr,moduleInfo->szExePath);
}
CloseHandle(hShot);
return 0;
}
来源:python脚本自动迁移
