如何使用线程 ID 检索线程的起始地址? [英] How to retrieve start address of a thread using its ID?

问题描述

我想使用线程的 ID 获取线程的起始地址.可能吗?

I want to get the start address of a thread using it's ID. Is it possible?

推荐答案

嗯，这并不是微不足道的，原因如下:在 Win32 子系统中所有线程都具有相同的起始地址.在 Windows 到(但不包括)Vista 中，它位于 kernel32.dll(根据官方符号命名为 BaseThreadStartThunk).在从 Vista 开始的 Windows 版本中，公共起始地址现在是 ntdll.dll 中的 RtlUserThreadStart(并且 BaseThreadStartThunk 重命名为 BaseThreadInitThunk 并且现在似乎只执行 Win32 特定的任务).

Well, this is not really trivial for the following reason: in the Win32 subsystem all threads have the same start address. In Windows up to (but not including) Vista it was inside kernel32.dll (named BaseThreadStartThunk according to the official symbols). In Windows versions starting with Vista, the common start address is now RtlUserThreadStart in ntdll.dll (and BaseThreadStartThunk got renamed to BaseThreadInitThunk and seemingly only does the Win32-specific tasks now).

但是，您可以尝试的是挂起线程，检索其CONTEXT(使用GetThreadContext)并从中遍历堆栈到其顶部调查那里的参数.它需要对 kernel32.dll 线程启动例程的每个实现进行一些逆向工程，但它应该是可行的.

However, what you could attempt is to suspend the thread, retrieve its CONTEXT (using GetThreadContext) and from that traverse the stack back to its top to investigate the parameters there. It will require some reverse-engineering of each implementation of the kernel32.dll thread start routine, but it should be doable.

另一种方法是使用未记录的原生 API NtQueryInformationThread 和 ThreadQuerySetWin32StartAddress.还有关于该功能的一个 MSDN 页面，但是它远未完成.

An alternative is to use the undocumented native API NtQueryInformationThread with ThreadQuerySetWin32StartAddress. There is also an MSDN page about the function, but it is far from complete.

这篇关于如何使用线程 ID 检索线程的起始地址?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！