Posted on 2013-03-14 10:38
宋鵬 閱讀(1176)
評論(1) 編輯 收藏 引用
在一個線程出現異常行為時,比如說CPU占用率過高,拋出異常等,你一定想知道這個線程是由哪個模塊創建的。因此無論在哪個操作系統上,獲取線程名稱是診斷線程相關問題的重要一步。
從線程ID獲取線程名稱通常的方法是,先獲取該線程的入口地址,然后枚舉進程內所有已加載模塊,最后判斷線程入口地址落在哪個加載模塊范圍內。枚舉進程內已加載模塊可用Win32標準的CreateToolhelp32Snapshot/Module32First/Module32Next系列ToolHelp API得到。獲取線程入口地址則沒有線程的Win32 API可用。不過在Windows NT based操作系統上(包括Windows NT 4.0/2000/XP/2003,等),有一個未公開的Native API可用:NtQueryInformationThread。其聲明如下:
DWORD WINAPI NtQueryInformationThread(
HANDLE ThreadHandle,
THREAD_INFORMATION_CLASS ThreadInformationClass,
PVOID ThreadInformation,
ULONG ThreadInformationLength,
PULONG ReturnLength
);
獲取線程入口地址可用:
DWORD GetThreadStartAddress(DWORD dwThreadId)
...{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadId);
DWORD retaddr, len, error;
retaddr = len = 0;
error = NtQueryInformationThread( hThread, 9, &retaddr, sizeof(retaddr), &len );
CloseHandle(hThread);
if( error != 0 )
retaddr = 0;
return retaddr;
} 在Windows CE上就沒這么幸運了,沒有任何現成的API可用。官方Windows CE Base Team的
blog對
這個問題的回答是可以用Remote Kernel Tracker,不過這需要你build一個特殊的kernel image,enable一些profiler功能-這在顯示的問題診斷中顯然是不實際的。那么有沒有辦法不需要什么特殊的配置就可像Windows桌面操作系統那樣獲得入口地址呢?有是有的,不過需要一些hack手段。仔細研究CE下的Thread內核數據結構,就會發現Thread結構中有一項是記錄線程入口地址的。
typedef struct Thread ...{
DWORD _1[3];
PPROCESS pProc; /**//* 0C: pointer to current process */
PPROCESS pOwnerProc; /**//* 10: pointer to owner process */
DWORD _2[18];
DWORD dwStartAddr; /**//* 5c: thread PC at creation, used to get thread name */
DWORD _3[10];
}THREAD, *PTHREAD; /**//* Thread */
因此要做的就是想辦法根據線程ID或handle得到這個數據。再研究,發現線程的Thread內核數據結構可通過句柄得到:
PTHREAD pTh = HandleToThread(ThreadHandle); 而且,在Windows CE下,線程ID和其handle的值是一樣的!!因此我們可以寫一個這樣的函數從線程ID拿到入口地址:
DWORD GetThreadStartAddress(DWORD dwThreadId)
...{
DWORD dwStartAddress = 0;
BOOL fOldMode = SetKMode(TRUE);
PTHREAD pTh = HandleToThread((HANDLE)dwThreadId);
if (pTh)
...{
dwStartAddress = (DWORD)MapPtrToProcess((LPVOID)pTh->dwStartAddr, pTh->pOwnerProc->hProc);
}
return dwStartAddress;
} 為了使用這些內核數據結構,我們還需要另外一些輔助結構和函數,比較完整的代碼如下。當然,官方肯定是不建議這么做的,但是重要的是解決問題,你說呢。
typedef struct Process ...{
DWORD _1[2];
HANDLE hProc; /**//* 08: handle for this process, needed only for SC_GetProcFromPtr */
}PROCESS, *PPROCESS;
typedef struct Thread ...{
DWORD _1[3];
PPROCESS pProc; /**//* 0C: pointer to current process */
PPROCESS pOwnerProc; /**//* 10: pointer to owner process */
DWORD _2[18];
DWORD dwStartAddr; /**//* 5c: thread PC at creation, used to get thread name */
DWORD _3[10];
}THREAD, *PTHREAD; /**//* Thread */
typedef struct cinfo ...{
char acName[4]; /**//* 00: object type ID string */
uchar disp; /**//* 04: type of dispatch */
uchar type; /**//* 05: api handle type */
ushort cMethods; /**//* 06: # of methods in dispatch table */
const PFNVOID *ppfnMethods;/**//* 08: ptr to array of methods (in server address space) */
const DWORD *pdwSig; /**//* 0C: ptr to array of method signatures */
PPROCESS pServer; /**//* 10: ptr to server process */
} CINFO; /**//* cinfo */
typedef CINFO *PCINFO;
typedef struct _HDATA HDATA, *PHDATA;
struct _HDATA ...{
DWORD _1[2]; /**//* 00: links for active handle list */
HANDLE hValue; /**//* 08: Current value of handle (nonce) */
DWORD lock; /**//* 0C: access information */
DWORD ref; /**//* 10: reference information */
const CINFO *pci; /**//* 14: ptr to object class description structure */
PVOID pvObj; /**//* 18: ptr to object */
DWORD dwInfo; /**//* 1C: extra handle info */
}; /**//* 20: sizeof(HDATA) */
#ifdef x86
struct KDataStruct ...{
LPDWORD lpvTls; /**//* 0x000 Current thread local storage pointer */
HANDLE ahSys[NUM_SYS_HANDLES]; /**//* 0x004 If this moves, change kapi.h */
DWORD _1[4];
ulong handleBase; /**//* 0x094 base address of handle table */
}; /**//* KDataStruct */
#endif
#ifdef ARM
struct KDataStruct ...{
LPDWORD lpvTls; /**//* 0x000 Current thread local storage pointer */
HANDLE ahSys[NUM_SYS_HANDLES]; /**//* 0x004 If this moves, change kapi.h */
DWORD _1[6];
ulong handleBase; /**//* 0x09c handle table base address */
}; /**//* KDataStruct */
#endif
#define HandleToThread(h) ((THREAD *)GetObjectPtrByType((h),SH_CURTHREAD))
#define HANDLE_ADDRESS_MASK 0x1ffffffc
void h2p(HANDLE h, PHDATA& phdRet)
...{
if ((ulong)h < NUM_SYS_HANDLES+SYS_HANDLE_BASE && (ulong)h >= SYS_HANDLE_BASE)
h = ((KDataStruct*)PUserKData)->ahSys[(uint)h-SYS_HANDLE_BASE];
if (h)
...{
phdRet = (PHDATA)(((ulong)h & HANDLE_ADDRESS_MASK) + ((KDataStruct*)PUserKData)->handleBase);
if (phdRet->hValue != h)
phdRet = 0;
}
else
phdRet = 0;
}
PVOID GetObjectPtrByType(HANDLE h, int type)
...{
PHDATA phd;
h2p(h, phd);
return (phd && phd->pci && phd->pci->type==type) ? phd->pvObj : 0;
}
extern "C" LPVOID WINAPI MapPtrToProcess(LPVOID lpv, HANDLE hProc);
extern "C" BOOL WINAPI SetKMode(BOOL fMode);
DWORD GetThreadStartAddress(DWORD dwThreadId)
...{
DWORD dwStartAddress = 0;
BOOL fOldMode = SetKMode(TRUE);
PTHREAD pTh = HandleToThread((HANDLE)dwThreadId);
if (pTh)
...{
dwStartAddress = (DWORD)MapPtrToProcess((LPVOID)pTh->dwStartAddr, pTh->pOwnerProc->hProc);
}
return dwStartAddress;
}