今天一直在撸,以及有点别的事,所幸晚上有点愧疚,还是抽出半个小时搞了一下。
本篇的课题是读取CPU寄存器的值,步骤如下:
1. CreateToolhelp32Snapshot:根据pid获取进程详细信息,如堆、线程、模块等,返回值为一个句柄
2. Thread32First:根据1中句柄获得一个指针,指向包含第一个线程信息的结构
3. Thread32Next:下一个线程的条目,结构跟first一样,通过这个可以写个while循环把进程里所有的线程全遍历出来
4. GetThreadContext获取寄存器的值
5. SetThreadContext改变寄存器的值
这里暂时不改变,只做1~4步。
用notepad ++做实验,结果如下:
Enter pid:75160
OpenProcess Successful, HANDLE 484
Press AnyKey to Continue ...
[*]DumpingregistersforthreadID:0x00016970
[**]EIP:0x75c5896c
[**]ESP:0x0013aec0
[**]EBP:0x0013aed8
[**]EAX:0x00000000
[**]EBX:0x0064be01
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00027494
[**]EIP:0x77e66bfc
[**]ESP:0x081cf988
[**]EBP:0x081cf9f8
[**]EAX:0x00000000
[**]EBX:0x77be67a0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0001240c
[**]EIP:0x77e66bfc
[**]ESP:0x0844f9a8
[**]EBP:0x0844fa18
[**]EAX:0x00000000
[**]EBX:0x00000434
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000137a4
[**]EIP:0x77e66f1c
[**]ESP:0x0a71fe8c
[**]EBP:0x0a71fef0
[**]EAX:0x00000000
[**]EBX:0x0a71fecc
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00056ca4
[**]EIP:0x77e6876c
[**]ESP:0x0062fb34
[**]EBP:0x0062fcec
[**]EAX:0x00000000
[**]EBX:0x00678390
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00058fe0
[**]EIP:0x77e6718c
[**]ESP:0x009ffa60
[**]EBP:0x009ffbf0
[**]EAX:0x00000244
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00006778
[**]EIP:0x77e6718c
[**]ESP:0x010ff6d4
[**]EBP:0x010ff864
[**]EAX:0x00000560
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x000574dc
[**]EIP:0x77e6718c
[**]ESP:0x0329fb58
[**]EBP:0x0329fce8
[**]EAX:0x000005e0
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057738
[**]EIP:0x77e6876c
[**]ESP:0x0382fb54
[**]EBP:0x0382fd0c
[**]EAX:0x00000000
[**]EBX:0x00677fe0
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x00057724
[**]EIP:0x77e6718c
[**]ESP:0x0399f5b0
[**]EBP:0x0399f740
[**]EAX:0x000005f8
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*]DumpingregistersforthreadID:0x0000b8c0
[**]EIP:0x77e68f00
[**]ESP:0x0311f854
[**]EBP:0x00000000
[**]EAX:0x77e99d20
[**]EBX:0x00000000
[**]ECX:0x00000000
[**]EDX:0x00000000
[*]ENDDUMP
[*] Finished debugging. Exiting...
竟然有11个线程。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
