本帖最后由 xiaoly99 于 2014-7-10 20:41 编辑
VB小子玩转驱动程序(7):枚举线程活动链
作者:0.0
1.VB代码
- Public Sub EnumThread(ByVal EProcess As Long)
- Dim Thread(4) As Long
- frmMain.lstThread.Clear
- Thread(2) = ReadMemory(EProcess + &H190)
- Thread(3) = Thread(2)
- Do
- Thread(0) = Thread(2) - &H22C
- Thread(1) = ReadMemory(Thread(2) + &H1F4 + 4 - &H234)
- If Thread(1) Then
- frmMain.lstThread.AddItem Thread(1) & String(4 - Len(Trim(Thread(1))), " ") & "/" & Hex(Thread(0))
- Thread(4) = Thread(4) + 1
- End If
- Thread(2) = ReadMemory(Thread(2))
- Loop While Thread(2) And (Thread(2) <> Thread(3))
- frmMain.rmdModule.Caption = "路径/共" & Thread(4) & "个线程"
- End Sub
2.枚举线程(ETHREAD)
Thread(2) = ReadMemory(EProcess + &H190) 这句代码获得进程活动链链表头
lkd> dt _EPROCESS
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
.......................................
+0x190 ThreadListHead : _LIST_ENTRY 知识点1
--------------------------------------------------------------------------------------
Thread(0) = Thread(2) - &H22C 获得EThread
Thread(1) = ReadMemory(Thread(2) + &H1F4 + 4 - &H234) 获得TID
--------------------------------------------------------------------------------------
Thread(2) = ReadMemory(Thread(2)) 获得下一个EThread
lkd> dt _LIST_ENTRY
nt!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY 知识点2
--------------------------------------------------------------------------------------
Loop While Thread(2) And (Thread(2) <> Thread(3)) 校验
这句话的意思是如果Thread(2)是True和Thread(2)不是Thread(3)
为什么要判断Thread(2)是不是True呢?因为在VB中,除了0和负数之外的数值都可以说等于True
而Thread(2)是链表基址,Thread(3)是下一个EThread
这两个条件都为真就继续执行循环 知识点3
--------------------------------------------------------------------------------------
IceFreak6
IceFreak.rar
(205.44 KB, 下载次数: 6929)
注:不要使用结束进程,还不稳定,结束线程还行 | 
发表于 2010-1-25 20:07:02
