從FS寄存器獲取當(dāng)前線程ID
int GetThreadId()
{
int ithread = 0;
_asm{
xor esi , esi
mov eax, fs:[esi+18h]
mov ecx, [eax+ 20h]
mov eax, [eax+ 24h]
mov dword ptr[ithread], eax
}
return ithread;
}
從FS寄存器獲取當(dāng)前進(jìn)程ID
int GetProcessId()
{
int iProcess = 0;
_asm{
xor esi , esi
mov eax, fs:[esi+18h]
mov ecx, [eax+ 20h]
mov eax, [eax+ 24h]
mov dword ptr[iProcess ], ecx
}
return iProcess ;
}
原理:
1.fs:18h 地址指向線程環(huán)境塊_TEB
打開(kāi)windbg可以證明:
0:028> dd fs:18h L1
0053:00000018
7eeb80000:028> !teb
TEB at
7eeb8000 ExceptionList: 1f8ff15c
StackBase: 1f900000
StackLimit: 1f8fc000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7eeb8000
EnvironmentPointer: 00000000
ClientId: 00001a30 . 00001408
RpcHandle: 00000000
Tls Storage: 133d2718
PEB Address: 7efde000
LastErrorValue: 0
LastStatusValue: c0000302
Count Owned Locks: 0
HardErrorMode: 0
2. 在_TEB中找到線程ID和進(jìn)程ID
0:028> dt ntdll!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
0:028> dt ntdll!_CLIENT_ID
+0x000 UniqueProcess : Ptr32 Void >進(jìn)程ID
+0x004 UniqueThread : Ptr32 Void >線程ID
當(dāng)然從TEB又可以找到_PEB的地址,從_PEB里面可以獲取到更多的信息。暫且擱筆~~
posted on 2010-01-20 15:10
Only Soft 閱讀(3522)
評(píng)論(0) 編輯 收藏 引用 所屬分類(lèi):
Windbg