C++ Wow64GetThreadContext为WOW64_上下文结构成员返回相同的值
我正在编译为64位,并在32位(Wow64)进程线程上调用函数。没有为任何函数返回任何错误 但是由于某些原因,每次调用函数时,传递给C++ Wow64GetThreadContext为WOW64_上下文结构成员返回相同的值,c++,c,debugging,winapi,C++,C,Debugging,Winapi,我正在编译为64位,并在32位(Wow64)进程线程上调用函数。没有为任何函数返回任何错误 但是由于某些原因,每次调用函数时,传递给wow64gethreadcontext的WOW64\u上下文中的CPU寄存器成员总是相同的值。即使我将结构中的每个成员初始化为0,WOW64\u CONTEXT wow64ctxt={0} 据我所知,我做的每件事都是正确的,但我总是在WOW64\u上下文中为每个成员获得相同的值 这是我的密码: #define _WIN32_WINNT _WIN32_IE_WIN8
wow64gethreadcontextWOW64\u上下文中的CPU寄存器成员总是相同的值。即使我将结构中的每个成员初始化为0,WOW64\u CONTEXT wow64ctxt={0}
据我所知,我做的每件事都是正确的,但我总是在WOW64\u上下文中为每个成员获得相同的值
这是我的密码:
#define _WIN32_WINNT _WIN32_IE_WIN8
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
int main()
{
DWORD dwPid = 0;
BOOL found = FALSE;
BOOL wow64 = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
THREADENTRY32 th32;
WOW64_CONTEXT wow64ctxt = {0};
printf("PID: ");
scanf("%lu", &dwPid);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if(hProcess == NULL)
{
printf("Error getting handle to process: %lu\n", GetLastError());
return 1;
}
if(!IsWow64Process(hProcess, &wow64))
{
printf("Error determining bitness of process: %lu\n", GetLastError());
return 1;
}
if(!wow64)
{
printf("Error, not a 32-bit process... closing program\n");
return 1;
}
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwPid);
if(hSnapshot == INVALID_HANDLE_VALUE)
{
printf("Error getting thread snapshot: %lu\n", GetLastError());
return 1;
}
th32.dwSize = sizeof(THREADENTRY32);
if(!Thread32First(hSnapshot, &th32))
{
printf("Error Thread32First: %lu\n", GetLastError());
return 1;
}
while(Thread32Next(hSnapshot, &th32))
{
if(th32.th32OwnerProcessID == dwPid)
{
found = TRUE;
break;
}
}
if(!found)
{
printf("Thread could not be found\n");
return 1;
}
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, th32.th32ThreadID);
if(hThread == NULL)
{
printf("Error getting a handle to thread %lu: %lu\n", th32.th32ThreadID, GetLastError());
return 1;
}
if(Wow64SuspendThread(hThread) == -1)
{
printf("Error suspending thread: %lu\n", GetLastError());
return 1;
}
wow64ctxt.ContextFlags = WOW64_CONTEXT_FULL;
if(!Wow64GetThreadContext(hThread, &wow64ctxt))
{
printf("Error getting thread context: %lu\n", GetLastError());
}
ResumeThread(hThread);
printf("EAX: %lu\n", wow64ctxt.Eax);
printf("EBP: %lu\n", wow64ctxt.Ebp);
printf("EIP: %lu\n", wow64ctxt.Eip);
return 0;
}
#定义WIN32_WINNT WIN32_IE_WIN8
#包括
#包括
#包括
int main()
{
DWORD dwPid=0;
BOOL-found=FALSE;
BOOL wow64=假;
HANDLE hProcess=NULL;
handlehthread=NULL;
HANDLE hSnapshot=无效的\u HANDLE\u值;
THREADENTRY32-th32;
WOW64_上下文wow64ctxt={0};
printf(“PID:”);
scanf(“%lu”&dwPid);
hProcess=OpenProcess(PROCESS\u ALL\u ACCESS,FALSE,dwPid);
if(hProcess==NULL)
{
printf(“获取进程句柄时出错:%lu\n”,GetLastError());
返回1;
}
if(!iswow64进程(hProcess,&wow64))
{
printf(“确定进程位的错误:%lu\n”,GetLastError());
返回1;
}
如果(!wow64)
{
printf(“错误,不是32位进程…正在关闭程序\n”);
返回1;
}
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,dwPid);
if(hSnapshot==无效的句柄值)
{
printf(“获取线程快照时出错:%lu\n”,GetLastError());
返回1;
}
th32.dwSize=sizeof(THREADENTRY32);
如果(!Thread32First(hSnapshot和th32))
{
printf(“错误线程32first:%lu\n”,GetLastError());
返回1;
}
while(Thread32Next(hSnapshot和th32))
{
if(th32.th32OwnerProcessID==dwPid)
{
发现=真;
打破
}
}
如果(!找到)
{
printf(“找不到线程\n”);
返回1;
}
hThread=OpenThread(THREAD\u ALL\u ACCESS,FALSE,th32.th32ThreadID);
if(hThread==NULL)
{
printf(“获取线程%lu:%lu\n的句柄时出错”,th32.th32ThreadID,GetLastError());
返回1;
}
if(Wow64SuspendThread(hThread)=-1)
{
printf(“错误挂起线程:%lu\n”,GetLastError());
返回1;
}
wow64ctxt.ContextFlags=WOW64_CONTEXT_FULL;
if(!Wow64GetThreadContext(hThread,&wow64ctxt))
{
printf(“获取线程上下文时出错:%lu\n”,GetLastError());
}
恢复线程(hThread);
printf(“EAX:%lu\n”,wow64ctxt.EAX);
printf(“EBP:%lu\n”,wow64ctxt.EBP);
printf(“EIP:%lu\n”,wow64ctxt.EIP);
返回0;
}
为什么您认为上下文值是错误的。在大多数GUI程序中,主线程大部分时间都在进行相同的操作系统调用,等待传入消息。很可能大多数或所有寄存器都是相同的,除非你碰巧在线程正在做一些更有趣的事情时抓住了它。这可以解释你的观察结果吗?