因为有个要定位线程头部特征的需要(有些游戏调试器一附加就立马死掉,多半是有个线程在搞鬼,杀掉这个线程就可以正常附加调试了),首先要找到线程入口地址,在网上找了下,发现在获取64位程序的线程信息时,入口地址是错的(64位的地址溢出了),稍稍改动了一下(要编译为64位)
#include <windows.h>
#include <tlhelp32.h>
#include "iostream"
using namespace std;
typedef LONG NTSTATUS;
typedef NTSTATUS(WINAPI* NTQUERYINFORMATIONTHREAD)(
HANDLE ThreadHandle,
ULONG ThreadInformationClass,
PVOID ThreadInformation,
ULONG ThreadInformationLength,
PULONG ReturnLength);
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress, // Obsolete
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
ThreadLastSystemCall,
ThreadIoPriority,
ThreadCycleTime,
ThreadPagePriority,
ThreadActualBasePriority,
ThreadTebInformation,
ThreadCSwitchMon, // Obsolete
ThreadCSwitchPmu,
ThreadWow64Context,
ThreadGroupInformation,
ThreadUmsInformation, // UMS
ThreadCounterProfiling,
ThreadIdealProcessorEx,
MaxThreadInfoClass
} THREADINFOCLASS;
void GetProcessThreadInfo(DWORD PID)
{
UINT64 起始地址 = NULL;
DWORD dwReturnLength = NULL;
HANDLE 线程句柄 = NULL;
THREADENTRY32 te32;
te32.dwSize = sizeof(te32);
HMODULE hNtdll = LoadLibraryW(L"ntdll.dll");
NTQUERYINFORMATIONTHREAD NtQueryInformationThread = NULL;
NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)GetProcAddress(hNtdll, "NtQueryInformationThread");
HANDLE Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, NULL);
if (Thread32First(Snapshot, &te32))
{
do
{
线程句柄 = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
NtQueryInformationThread(线程句柄, ThreadQuerySetWin32StartAddress,
&起始地址, sizeof(起始地址), &dwReturnLength);
if (PID == GetProcessIdOfThread(线程句柄))
{
cout.setf(ios::showbase | ios::uppercase);
cout << dec << "线程ID:" << te32.th32ThreadID;
cout << hex << "\t入口地址:" << 起始地址 << endl;;
}
} while (Thread32Next(Snapshot, &te32));
}
}
int main()
{
while (1)
{
DWORD pid = 0;
cout << "请输入进程ID:";
cin >> pid;
GetProcessThreadInfo(pid);
}
}
参考自:https://www.cnblogs.com/IMyLife/p/4826260.html