调用微软未公开函数ZwQueryInformationThread
网上挺多帖子说得到的地址值为全c,查阅部分资料后发现64位系统与32位有一些区别,主要是_THREAD_BASIC_INFORMATION结构体的长度不同,各部分的大小有出入。
经更改后的代码如下:
点击查看代码
typedef enum _THREADINFOCLASS {
ThreadBasicInformation = 0,
ThreadTimes = 1,
ThreadPriority = 2,
ThreadBasePriority = 3,
ThreadAffinityMask = 4,
ThreadImpersonationToken = 5,
ThreadDescriptorTableEntry = 6,
ThreadEnableAlignmentFaultFixup = 7,
ThreadEventPair_Reusable = 8,
ThreadQuerySetWin32StartAddress = 9,
ThreadZeroTlsCell = 10,
ThreadPerformanceCount = 11,
ThreadAmILastThread = 12,
ThreadIdealProcessor = 13,
ThreadPriorityBoost = 14,
ThreadSetTlsArrayAddress = 15, // Obsolete
ThreadIsIoPending = 16,
ThreadHideFromDebugger = 17,
ThreadBreakOnTermination = 18,
ThreadSwitchLegacyState = 19,
ThreadIsTerminated = 20,
ThreadLastSystemCall = 21,
ThreadIoPriority = 22,
ThreadCycleTime = 23,
ThreadPagePriority = 24,
ThreadActualBasePriority = 25,
ThreadTebInformation = 26,
ThreadCSwitchMon = 27, // Obsolete
ThreadCSwitchPmu = 28,
ThreadWow64Context = 29,
ThreadGroupInformation = 30,
ThreadUmsInformation = 31, // UMS
ThreadCounterProfiling = 32,
ThreadIdealProcessorEx = 33,
ThreadCpuAccountingInformation = 34,
ThreadSuspendCount = 35,
ThreadActualGroupAffinity = 41,
ThreadDynamicCodePolicyInfo = 42,
MaxThreadInfoClass = 45,
} THREADINFOCLASS;
typedef NTSTATUS(WINAPI* ZWQUERYINFORMATIONTHREAD)(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_In_ PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _CLIENT_ID {
QWORD UniqueProcess;
QWORD UniqueThread;
} CLIENT_ID;
typedef struct _THREAD_BASIC_INFORMATION {
LONG64 ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
LONG Priority;
LONG BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
点击查看代码
ZWQUERYINFORMATIONTHREAD ZwQueryInformationThread;
HMODULE init(LPCSTR szFuncNmae)
{
HMODULE hModule = LoadLibrary(_T("ntdll.dll"));
if (hModule) {
ZwQueryInformationThread = (ZWQUERYINFORMATIONTHREAD)GetProcAddress(hModule, szFuncNmae);
}
return hModule;
}
HMODULE hModule = init("ZwQueryInformationThread");
if (hModule && ZwQueryInformationThread)
{
THREAD_BASIC_INFORMATION bi;
NT_TIB tib;
DWORD lRet = NULL;
ZeroMemory(&bi, sizeof(THREAD_BASIC_INFORMATION));
NTSTATUS status = ZwQueryInformationThread(hThread, ThreadBasicInformation, &bi, sizeof(_THREAD_BASIC_INFORMATION), &lRet);
if (status == STATUS_SUCCESS) {
EnableDebugPrivilege(TRUE);
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, bi.ClientId.UniqueProcess);
tebHandleString.Format(_T("0x%p"), bi.TebBaseAddress);
}
}
参考:http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FTHREAD_INFORMATION_CLASS.html
https://0xnope.top/2021/03/15/TEB/#Ntdll-NtCurrentTeb
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm?tx=133