如何使用 LoadLibrary() 和 GetProcAddress() 函数将 ntdll.dll 添加到项目库? [英] How to add ntdll.dll to project libraries with LoadLibrary() and GetProcAddress() functions?

问题描述

我想用 NtQueryInformationThread 获取线程的起始地址，但我需要添加它的库.我该怎么做?

I want to get the thread's start address with NtQueryInformationThread, but I need to add its library. How can I do that?

推荐答案

我使用了 NtQueryInformationThread 而无需加载 ntdll(在我看来是自动加载的).我只需要准备一个包含以下内容的特殊头文件:http://pastebin.com/ieEqR0eL 并包含它在我的项目中.之后，我能够做这样的事情:

I used NtQueryInformationThread without any need of loading ntdll (which in my opinion is loaded automatically). I had only to prepare a special header file with such content: http://pastebin.com/ieEqR0eL and include it in my project. After that I was able to do something like this:

NTSTATUS status;
THREAD_BASIC_INFORMATION basicInfo;
typedef NTSTATUS ( WINAPI *NQIT )( HANDLE, LONG, PVOID, ULONG, PULONG );

/* Open thread */
HANDLE thread = OpenThread(THREAD_ALL_ACCESS, false, threadId);
/* Get the address of NtQueryInformationThread function. */ 
NQIT NtQueryInformationThread = ( NQIT )GetProcAddress( GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread" );
/* Get basic thread information */
status = NtQueryInformationThread(thread, 0, &basicInfo, sizeof(basicInfo), NULL);
CloseHandle(thread);

/* Get address of the Thread Environment Block, stack start address and last stack address */
tebAddress = (DWORD)basicInfo.TebBaseAddress;
DWORD pebAddress = *((DWORD*)(tebAddress+0x30));
/* For example to get stack base address */
stackBase = *((DWORD*)(tebAddress+4));
stackLimit = *((DWORD*)(tebAddress+8));

这篇关于如何使用 LoadLibrary() 和 GetProcAddress() 函数将 ntdll.dll 添加到项目库?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！