问题
I'm working on a mini windows process explorer in C, I have a handle to a thread.
How can I retrieve starting address of that thread? Something like this:
回答1:
Such question was already asked a few days ago. Here is a sample solution:
DWORD WINAPI GetThreadStartAddress(HANDLE hThread)
{
NTSTATUS ntStatus;
HANDLE hDupHandle;
DWORD dwStartAddress;
pNtQIT NtQueryInformationThread = (pNtQIT)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationThread");
if(NtQueryInformationThread == NULL)
return 0;
HANDLE hCurrentProcess = GetCurrentProcess();
if(!DuplicateHandle(hCurrentProcess, hThread, hCurrentProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
SetLastError(ERROR_ACCESS_DENIED);
return 0;
}
ntStatus = NtQueryInformationThread(hDupHandle, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD), NULL);
CloseHandle(hDupHandle);
if(ntStatus != STATUS_SUCCESS)
return 0;
return dwStartAddress;
}
Source: http://forum.sysinternals.com/how-to-get-the-start-address-and-modu_topic5127_post18072.html#18072
You might have to include this file: http://pastebin.com/ieEqR0eL
Related question: How to add ntdll.dll to project libraries with LoadLibrary() and GetProcAddress() functions?
回答2:
NtQueryInformationThread with ThreadQuerySetWin32StartAddress. Another possibility is to walk the thread's stack with StackWalk64.
If you only need the start address, NtQueryInformationProcess is a lot simpler. Even with fairly terse coding, walking the stack takes a couple hundred lines of code or so.
回答3:
You should be able to get a stack trace with StackWalk64 or a related function, and then parse it with the dbghelp.dll .
This CodeProject article explains it all in detail: http://www.codeproject.com/KB/threads/StackWalker.aspx
来源:https://stackoverflow.com/questions/11147846/how-to-retrieve-starting-address-of-a-thread-in-windows