首页
论坛
专栏
课程

[调试逆向] [系统底层] [求助]有大佬知道NtQueryInformationThread怎么通过获取各个寄存器的值的吗?

2018-8-6 12:16 1531

[调试逆向] [系统底层] [求助]有大佬知道NtQueryInformationThread怎么通过获取各个寄存器的值的吗?

2018-8-6 12:16
1531
X86程序GetTheadContext是通过NtQueryInformationThread得到的

[公告][征集寄语] 看雪20周年年会 | 感恩有你,一路同行

最新回复 (3)
downfall 2018-8-9 16:24
2
0
用NtGetContextThread

BOOL WINAPI GetThreadContext(IN HANDLE hThread, OUT LPCONTEXT lpContext)

{

NTSTATUS Status;

Status =NtGetContextThread(hThread, lpContext);

if (!NT_SUCCESS(Status))

{

BaseSetLastNTError(Status);

return FALSE;

}

return TRUE;

}

reactos的源码
最后于 2018-8-9 16:30 被downfall编辑 ,原因: 增补内容
guotouck 2018-9-19 00:57
3
0
我也想问,要NtQueryInformationThread的方法
guotouck 2018-9-20 13:34
4
0
自己解决了 但意义不大.
特别注意是  本执行进程必须64位  然后线程目标id 必须是32位 否则失败
typedef NTSTATUS(WINAPI *NTQUERYINFORMATIONTHREAD)(
       HANDLE ThreadHandle,
       ULONG ThreadInformationClass,
       PVOID ThreadInformation,
       ULONG ThreadInformationLength,
       PULONG ReturnLength);
typedef enum _THREADINFOCLASS {
       ThreadBasicInformation,
       ThreadTimes,
       ThreadPriority,
       ThreadBasePriority,
       ThreadAffinityMask,
       ThreadImpersonationToken,
       ThreadDescriptorTableEntry,
       ThreadEnableAlignmentFaultFixup,
       ThreadEventPair_Reusable,
       ThreadQuerySetWin32StartAddress,
       ThreadZeroTlsCell,
       ThreadPerformanceCount,
       ThreadAmILastThread,
       ThreadIdealProcessor,
       ThreadPriorityBoost,
       ThreadSetTlsArrayAddress,   // Obsolete
       ThreadIsIoPending,
       ThreadHideFromDebugger,
       ThreadBreakOnTermination,
       ThreadSwitchLegacyState,
       ThreadIsTerminated,
       ThreadLastSystemCall,
       ThreadIoPriority,
       ThreadCycleTime,
       ThreadPagePriority,
       ThreadActualBasePriority,
       ThreadTebInformation,
       ThreadCSwitchMon,          // Obsolete
       ThreadCSwitchPmu,
       ThreadWow64Context,
       ThreadGroupInformation,
       ThreadUmsInformation,      // UMS
       ThreadCounterProfiling,
       ThreadIdealProcessorEx,
       MaxThreadInfoClass
} THREADINFOCLASS;
       ThreadHandle = OpenThread(THREAD_ALL_ACCESS | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, dwThreadId);  dwThreadId必须是目标32位的 
       if (!ThreadHandle)
       {
               return 0;
       }
       WOW64_CONTEXT wow64Context = {};
       wow64Context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_SEGMENTS;
NTSTATUS status = NtQueryInformationThread(ThreadHandle, ThreadWow64Context, &wow64Context, sizeof(WOW64_CONTEXT), NULL);
游客
登录 | 注册 方可回帖
返回