郁金香外挂技术-郁金香灬老师

 找回密码
 立即注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

查看: 129|回复: 0

R3遍历线程TEB 跨进程遍历 ThreadContext

[复制链接]
发表于 2021-12-29 00:33:02 | 显示全部楼层 |阅读模式

GetThreadContext
R3遍历线程TEB

ZwQueryInformationThread的0号调用(ThreadBasicInformation),返回类型为_THREAD_BASIC_INFORMATION,定义如下:

typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    PTEB TebBaseAddress;
    CLIENT_ID ClientId;
    ULONG_PTR AffinityMask;
    KPRIORITY Priority;
    LONG BasePriority;
} THREAD_BASIC_INFORMATION;

其中的TebBaseAddress就是TEB地址
ZwQueryInformationThread的ThreadHandle就是hThread了

函数原型等:

NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread (
    __in HANDLE ThreadHandle,
    __in THREADINFOCLASS ThreadInformationClass,
    __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
    __in ULONG ThreadInformationLength,
    __out_opt PULONG ReturnLength
    );
typedef enum _THREADINFOCLASS {
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair_Reusable,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,
    ThreadIsIoPending,
    ThreadHideFromDebugger,
    ThreadBreakOnTermination,
    ThreadSwitchLegacyState,
    ThreadIsTerminated,
    MaxThreadInfoClass
    } THREADINFOCLASS;
PVOID ThreadInformation是指向返回数据缓冲区的指针。




//56 SystemPrefetcherInformation

void GetSystemExtendedProcessInformation(NTDEFS::SYSTEM_PROCESS_INFORMATION* pspri1)//57
{
        cout << "\t\t57 SystemExtendedProcessInformation" << endl;
        do
        {
                if (pspri1->ImageName.Buffer)
                        wcout << "\tImageName:" << wstring((wchar_t*)pspri1->ImageName.Buffer) << endl;
                else
                        wcout << "no name" << endl;
                cout << "\t线程数:" << pspri1->NumberOfThreads << endl;
                printseg(pspri1->SpareLi1.QuadPart);
                printseg(pspri1->SpareLi2.QuadPart);
                printseg(pspri1->SpareLi3.QuadPart);
                cout << "\t创建时间:" << pspri1->CreateTime.QuadPart << endl;
                cout << "\t用户态时间:" << pspri1->UserTime.QuadPart << endl;
                cout << "\t内核态时间:" << pspri1->KernelTime.QuadPart << endl;
                cout << "\t基础优先级:" << pspri1->BasePriority << endl;
                cout << "\t进程Id:" << (int)pspri1->UniqueProcessId << endl;
                cout << "\t父进程Id:" << (int)pspri1->InheritedFromUniqueProcessId << endl;
                cout << "\t句柄数:" << pspri1->HandleCount << endl;
                cout << "\t会话Id:" << pspri1->SessionId << endl;
                cout << "\t页目录机制:" << pspri1->PageDirectoryBase << endl;
                cout << "\t虚拟内存峰值:" << pspri1->PeakVirtualSize << endl;
                cout << "\t虚拟内存大小:" << pspri1->VirtualSize << endl;
                cout << "\t页错误数:" << pspri1->PageFaultCount << endl;
                cout << "\t物理内存峰值:" << pspri1->PeakWorkingSetSize << endl;
                cout << "\t物理内存大小:" << pspri1->WorkingSetSize << endl;
                cout << "\t分页池配额峰值:" << pspri1->QuotaPeakPagedPoolUsage << endl;
                cout << "\t分页池配额:" << pspri1->QuotaPagedPoolUsage << endl;
                cout << "\t非分页池配额峰值:" << pspri1->QuotaPeakNonPagedPoolUsage << endl;
                cout << "\t非分页池配额:" << pspri1->QuotaNonPagedPoolUsage << endl;
                cout << "\t页面文件使用:" << pspri1->PagefileUsage << endl;
                cout << "\t页面文件使用峰值:" << pspri1->PeakPagefileUsage << endl;
                cout << "\t私有页面数:" << pspri1->PrivatePageCount << endl;
                cout << "\t读操作数:" << pspri1->ReadOperationCount.QuadPart << endl;
                cout << "\t写操作数:" << pspri1->WriteOperationCount.QuadPart << endl;
                cout << "\t其他操作数:" << pspri1->OtherOperationCount.QuadPart << endl;
                cout << "\t读字节数:" << pspri1->ReadTransferCount.QuadPart << endl;
                cout << "\t写字节数:" << pspri1->WriteTransferCount.QuadPart << endl;
                cout << "\t其他字节数:" << pspri1->OtherTransferCount.QuadPart << endl;
                NTDEFS::SYSTEM_PROCESS_INFORMATION* newpspri1 = (NTDEFS::SYSTEM_PROCESS_INFORMATION*)((BYTE*)pspri1 + pspri1->NextEntryOffset);
                NTDEFS::SYSTEM_EXTENDED_THREAD_INFORMATION* pesti = (NTDEFS::SYSTEM_EXTENDED_THREAD_INFORMATION*)(pspri1 + 1);
                int threadindex = 0;
                while ((LPVOID)pesti < (LPVOID)newpspri1)
                {
                        ++threadindex;
                        cout << "\t内核态时间:" << pesti->ThreadInfo.KernelTime.QuadPart << endl;
                        cout << "\t用户态时间:" << pesti->ThreadInfo.UserTime.QuadPart << endl;
                        cout << "\t创建时间:" << pesti->ThreadInfo.CreateTime.QuadPart << endl;
                        cout << "\t等待时间:" << pesti->ThreadInfo.WaitTime << endl;
                        cout << "\t起始地址:" << hex << pesti->ThreadInfo.StartAddress << endl;
                        cout << "\tUniqueProcess:" << hex << pesti->ThreadInfo.ClientId.UniqueProcess << endl;
                        cout << "\tUniqueThread:" << hex << pesti->ThreadInfo.ClientId.UniqueThread << endl;
                        cout << dec;
                        cout << "\t优先级:" << pesti->ThreadInfo.Priority << endl;
                        cout << "\t基础优先级:" << pesti->ThreadInfo.BasePriority << endl;
                        cout << "\t模式切换次数:" << pesti->ThreadInfo.ContextSwitches << endl;
                        cout << "\t线程状态:" << pesti->ThreadInfo.ThreadState << endl;
                        cout << "\t等待原因:" << pesti->ThreadInfo.WaitReason << endl;
                        cout << "\t栈基址:" << hex << pesti->StackBase << endl;
                        cout << "\t栈范围:" << hex << pesti->StackLimit << endl;
                        cout << "\tWin32StartAddress" << hex << pesti->Win32StartAddress << endl;
                        cout << dec;
                        pesti++;
                }
                pspri1 = newpspri1;
        } while (pspri1->NextEntryOffset);
}



郁金香外挂教程,学习中...
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|小黑屋|手机版|郁金香外挂技术-郁金香灬老师 ( 苏ICP备10059359号 )

GMT+8, 2022-1-18 19:24 , Processed in 0.040364 second(s), 17 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表