在Windows上获取64位进程的TEB [英] Getting the TEB of a 64bit process on WIndows
问题描述
我正在尝试获取Windows 8中64个远程线程的TEB.
I'm trying to get the TEB of a 64 remote thread in Windows 8.
按照此处的定义,我执行以下操作:
Following the definition from here, I do this:
sz = sizeof(NTSTATUS) + sizeof(PTEB) + sizeof(HANDLE) + sizeof(HANDLE) + sizeof(ULONG_PTR) + sizeof(LONG) + sizeof(LONG);
infoBuff = malloc(sz);
stat = NtQueryInformationThread(mainThread, (THREADINFOCLASS) 0, infoBuff, sz, NULL);
if (!NT_SUCCESS(stat)) {
printf ("ERROR (code 0x%x): Cannot get information about about the main TEB. \n", stat);
return 1;
}
如果我编译为32位,则sz为0x1C,并且调用成功返回. 如果我编译为64位,则sz为0x2C,但调用返回状态0xC0000004:STATUS_INFO_LENGTH_MISMATCH.
If I compile for 32bit, sz is 0x1C and the call returns succesfully. If I compile for 64bit, sz is 0x2C but the call returns status 0xC0000004:STATUS_INFO_LENGTH_MISMATCH.
任何想法在64位目标上_THREAD_BASIC_INFORMATION的正确大小是多少? 还是获取远程TEB的另一种方法?
Any ideea what is the right size of _THREAD_BASIC_INFORMATION on 64 bit targets? Or maybe an alternate way of getting a remote TEB?
谢谢, 亚历克斯
推荐答案
结构中存在不允许您填充的内容,因此会出现STATUS_INFO_LENGTH_MISMATCH错误.
There's padding in the struct which you are not allowing for that, hence the STATUS_INFO_LENGTH_MISMATCH error.
找出结构大小的最简单,最可靠的方法是让编译器对其进行求解:
The easiest and most reliable way to find out the size of the struct is to get the compiler to work it out:
sizeof(THREAD_BASIC_INFORMATION)
无论如何,您可以很容易地手工完成:
Anyway, you can work it out by hand readily enough:
Type Name Offset Size
---- ---- ------ ----
NTSTATUS ExitStatus; 0 4
Padding 4 4
PVOID TebBaseAddress; 8 8
CLIENT_ID ClientId; 16 16
KAFFINITY AffinityMask; 32 8
KPRIORITY Priority; 40 4
KPRIORITY BasePriority; 44 4
因此这将使结构的总大小为48个字节,即0x30.
So that would make the total size of the struct 48 bytes, or 0x30.
填充是为了确保TebBaseAddress是8字节对齐的.
The padding is to ensure that TebBaseAddress is 8 byte aligned.
这篇关于在Windows上获取64位进程的TEB的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
