C NtQueryInformationThread在我的代码中总是失败吗?
我想使用进程ID和线程ID检索进程的线程开始地址。C NtQueryInformationThread在我的代码中总是失败吗?,c,windows,multithreading,winapi,C,Windows,Multithreading,Winapi,我想使用进程ID和线程ID检索进程的线程开始地址。 这是我的密码: DWORD WINAPI GetThreadStartAddress(DWORD tid, DWORD pid) { NTSTATUS ntStatus; HANDLE hDupHandle; DWORD dwStartAddress; HANDLE hProcess; HANDLE hTread; pNtQIT NtQueryInformationThread; hTread = OpenThread(T
这是我的密码:
DWORD WINAPI GetThreadStartAddress(DWORD tid, DWORD pid)
{
NTSTATUS ntStatus;
HANDLE hDupHandle;
DWORD dwStartAddress;
HANDLE hProcess;
HANDLE hTread;
pNtQIT NtQueryInformationThread;
hTread = OpenThread(THREAD_ALL_ACCESS, FALSE, tid);
NtQueryInformationThread = (pNtQIT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationThread");
if(NtQueryInformationThread == NULL)
return 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
SuspendThread(hTread);
if(!DuplicateHandle(hProcess, hTread, hProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
SetLastError(ERROR_ACCESS_DENIED);
return 0;
}
ntStatus = NtQueryInformationThread(hDupHandle, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD), NULL);
ResumeThread(hTread );
CloseHandle(hTread);
CloseHandle(hProcess);
CloseHandle(hDupHandle);
if (ntStatus != 0)
return 0;
return dwStartAddress;
但ntStatus始终不是0。为什么?假设
pidhDupHandleDuplicateHandleDuplicateHandle(GetCurrentProcess(), hTread, GetCurrentProcess(), &hDupHandle,
THREAD_QUERY_INFORMATION, FALSE, 0)
虽然我不知道为什么您首先要复制句柄,而不是直接使用它。OpenThread&OpenProcess可能会失败(特别是由于权限不足)。在调用NtQueryInformationThread之前,需要确保具有有效的句柄。ntStatus的值是多少?文档中:“NTSTATUS错误代码的形式和意义列在DDK中可用的NTSTATUS.h头文件中,并在DDK文档的内核模式驱动程序体系结构/设计指南/驱动程序编程技术/日志错误下进行了描述。”您是否为调用过程启用了
SeDebugPrivilegeOpenThread()OpenProcess()dwStartAddressPVOID