我想获取系统中所有线程的基地址 - 我使用NtQueryInformationThread和ThreadQuerySetWin32StartAddress。它适用于系统中的大多数线程,但是对于其中的一小部分,我将0作为起始地址。
我在xp中测试它,我是管理员,我向自己添加了SeDebugPrivilege令牌,而我遇到问题的线程不是系统pid(不是pid 0或4)
DWORD myThreadID = 996
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, TRUE, myThreadID);
OpenThread成功,hThread不为null;
typedef NTSTATUS (WINAPI *pNtQIT)(HANDLE, LONG, PVOID, ULONG, PULONG);
#define ThreadQuerySetWin32StartAddress 9
pNtQIT NtQueryInformationThread = (pNtQIT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationThread");
PVOID dwStartAddress;
NTSTATUS ntStatus = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD), NULL);
NtQueryInformationThread()成功,ntStatus == 0,但dwStartAddress也是0,
有什么想法吗?