我想用NtQueryInformationThread获取线程的起始地址,但我需要添加它的库。我怎么能这样做?
答案 0 :(得分:5)
我更喜欢将ntdll.lib(您可以在Windows DDK / WDK中找到它)添加到项目中。在这种情况下,您不需要GetProcAddress。
答案 1 :(得分:4)
我使用NtQueryInformationThread而不需要加载ntdll(在我看来是自动加载的)。我只需要准备一个包含这样内容的特殊头文件:http://pastebin.com/ieEqR0eL并将其包含在我的项目中。之后,我能够做到这样的事情:
NTSTATUS status;
THREAD_BASIC_INFORMATION basicInfo;
typedef NTSTATUS ( WINAPI *NQIT )( HANDLE, LONG, PVOID, ULONG, PULONG );
/* Open thread */
HANDLE thread = OpenThread(THREAD_ALL_ACCESS, false, threadId);
/* Get the address of NtQueryInformationThread function. */
NQIT NtQueryInformationThread = ( NQIT )GetProcAddress( GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread" );
/* Get basic thread information */
status = NtQueryInformationThread(thread, 0, &basicInfo, sizeof(basicInfo), NULL);
CloseHandle(thread);
/* Get address of the Thread Environment Block, stack start address and last stack address */
tebAddress = (DWORD)basicInfo.TebBaseAddress;
DWORD pebAddress = *((DWORD*)(tebAddress+0x30));
/* For example to get stack base address */
stackBase = *((DWORD*)(tebAddress+4));
stackLimit = *((DWORD*)(tebAddress+8));