获取线程句柄的三种方法
1.通过进程的PID并调用API函数:
HANDLE OpenProcess(
DWORD dwDesiredAccess, // access flag
BOOL bInheritHandle, // handle inheritance option
DWORD dwProcessId // process identifier
);
HANDLE OpenThread(
DWORD dwDesiredAccess, // access right
BOOL bInheritHandle, // handle inheritance option
DWORD dwThreadId // thread identifier
);
2.创建进程时,结构体PROCESS_INFORMATION中的hProcess即线程句柄
BOOL CreateProcess(
LPCTSTR lpApplicationName, // name of executable module
LPTSTR lpCommandLine, // command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
BOOL bInheritHandles, // handle inheritance option
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // new environment block
LPCTSTR lpCurrentDirectory,// current directory name
LPSTARTUPINFO lpStartupInfo,// startup information
LPPROCESS_INFORMATION lpProcessInformation // process information
);
typedef struct _PROCESS_INFORMATION {
HANDLE hProcess;
HANDLE hThread;
DWORD dwProcessId;
DWORD dwThreadId;
} PROCESS_INFORMATION;
2.1在创建进程的时候,有两个参数涉及到进程的继承问题:
(1)LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD
SD参数是进程对象本身的属性,进程对象一般称之为内核对象,这个对象属性决定了对象本身是否具备被继承的特性。创建的时候可以决定创建的进程是否具备继承属性
LPSECURITY_ATTRIBUTES sa;
sa.bInheritHandle = TRUE;
(2)BOOL bInheritHandles, // handle inheritance option
这个属性决定了被创建的(具有继承属性SD的)内核对象是否能够被继承的,与内核本身的属性无关。
bInheritHandles = TRUE;
3.复制进程句柄,从指定的进程中复制指定的内核对象的句柄
char szBuf[MAXBYTE] = {0};
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si, 0, sizeof(STARTUPINFO));
memset(&pi, 0, sizeof(PROCESS_INFORMATION));
//创建一个子进程
BOOL bRet = CreateProcess( szBuf,
NULL,
&sa,
NULL,
TRUE,
NULL,
NULL,
NULL,
&si,
&pi);
//从父进程中把子进程的句柄拷贝到子进程当中去
HANDLE pseudoHandle = GetCurrentProcess();//伪句柄
HANDLE DupHandle;
BOOL bRet =DuplicateHandle(
pseudoHandle,//拷贝的源头src
pi.Process,//拷贝子进程的句柄,pi.Process在父进程中代表子进程的句柄
pi.Process,//目的地,拷贝到哪里
&DupHandle,//拷贝的结果
0,
FALSE,
DUPLICATE_SAME_ACCESS);
3.1伪句柄:一个进程中的句柄集均是以一种Index的形式表现,通过调试可以放发现伪句柄的值是0XFFFFFFFF(-1),这个Index=-1永远代表的是进程本身的句柄