线程的创建过程

最新推荐文章于 2022-12-06 19:36:48 发布
最新推荐文章于 2022-12-06 19:36:48 发布
阅读量532 收藏
点赞数
原文链接:http://www.cnblogs.com/testvt/p/5677073.html
版权

    由于这两天在研究调试机制,所以记录下被调试线程的创建过程,如果哪里有遗漏,以后会再补充

   线程创建过程分为两部分:

   第一部分: CreateThread->NtCreateThread->PspCreateThread->KeInitThread->KiInitializeContextThread->KiThreadStartUp

     第二部分:KiThreadStartUp->PspUserThreadStartup->DbgkCreateThread

 

 PspCreateThread: This routine creates and initializes a thread object. It implements the foundation for NtCreateThread and for PsCreateSystemThread.

  KeInitThread:    This function initializes a thread object. The priority, affinity, and initial quantum are taken from the parent process object.

  KiInitializeContextThread: This function initializes the machine dependent context of a thread object.

  KiThreadStartUp:

    ; This routine is called at thread startup. Its function is to call the
    ; initial thread procedure. If control returns from the initial thread
    ; procedure and a user mode context was established when the thread
    ; was initialized, then the user mode context is restored and control
    ; is transferred to user mode. Otherwise a bugcheck will occur.

 

调试过程:DbgkCreateThread->DbgkpSendApiMessage(按需挂起线程)->DbgkpQueueMessage(内核事件唤醒,设置DEBUG_EVENT结构)

 

 

//创建线程或者进程信息

VOID
DbgkCreateThread(
    PETHREAD Thread,
    PVOID StartAddress
    )

/*++

Routine Description:

    This function is called when a new thread begins to execute. If the
    thread has an associated DebugPort, then a message is sent thru the
    port.

    If this thread is the first thread in the process, then this event
    is translated into a CreateProcessInfo message.

    If a message is sent, then while the thread is awaiting a reply,
    all other threads in the process are suspended.

Arguments:

    Thread - New thread just being started

    StartAddress - Supplies the start address for the thread that is
        starting.

Return Value:

    None.

--*/

{
    PVOID Port;
    DBGKM_APIMSG m;
    PDBGKM_CREATE_THREAD CreateThreadArgs;
    PDBGKM_CREATE_PROCESS CreateProcessArgs;
    PEPROCESS Process;
    PDBGKM_LOAD_DLL LoadDllArgs;
    NTSTATUS Status;
    OBJECT_ATTRIBUTES Obja;
    IO_STATUS_BLOCK IoStatusBlock;
    PIMAGE_NT_HEADERS NtHeaders;
    PTEB Teb;
    ULONG OldFlags;
#if defined(_WIN64)
    PVOID Wow64Process;
#endif

    PAGED_CODE();

    Process = PsGetCurrentProcessByThread (Thread);

#if defined(_WIN64)
    Wow64Process = Process->Wow64Process;
#endif

    OldFlags = PS_TEST_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_CREATE_REPORTED|PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE);

    if ((OldFlags&PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE) == 0 && PsImageNotifyEnabled) {
        IMAGE_INFO ImageInfo;
        UNICODE_STRING UnicodeFileName;
        POBJECT_NAME_INFORMATION FileNameInfo;

        //
        // notification of main .exe
        //
        ImageInfo.Properties = 0;
        ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
        ImageInfo.ImageBase = Process->SectionBaseAddress;
        ImageInfo.ImageSize = 0;

        try {
            NtHeaders = RtlImageNtHeader (Process->SectionBaseAddress);
    
            if (NtHeaders) {
#if defined(_WIN64)
                if (Wow64Process != NULL) {
                    ImageInfo.ImageSize = DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER ((PIMAGE_NT_HEADERS32)NtHeaders, SizeOfImage);
                } else {
#endif
                    ImageInfo.ImageSize = DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER (NtHeaders, SizeOfImage);
#if defined(_WIN64)
                }
#endif
            }
        } except (EXCEPTION_EXECUTE_HANDLER) {
            ImageInfo.ImageSize = 0;
        }
        ImageInfo.ImageSelector = 0;
        ImageInfo.ImageSectionNumber = 0;

        Status = MmGetFileNameForSection (Process->SectionObject, &FileNameInfo);
        if (FileNameInfo != NULL) {
            PsCallImageNotifyRoutines (&FileNameInfo->Name,
                                       Process->UniqueProcessId,
                                       &ImageInfo);
            ExFreePool (FileNameInfo);
        } else {
            PsCallImageNotifyRoutines (NULL,
                                       Process->UniqueProcessId,
                                       &ImageInfo);
        }

        //
        // and of ntdll.dll
        //
        ImageInfo.Properties = 0;
        ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
        ImageInfo.ImageBase = PsSystemDllBase;
        ImageInfo.ImageSize = 0;

        try {
            NtHeaders = RtlImageNtHeader (PsSystemDllBase);
            if ( NtHeaders ) {
#if defined(_WIN64)
                if (Wow64Process != NULL) {
                    ImageInfo.ImageSize = DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER ((PIMAGE_NT_HEADERS32)NtHeaders, SizeOfImage);
                } else {
#endif
                    ImageInfo.ImageSize = DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER (NtHeaders, SizeOfImage);
#if defined(_WIN64)
                }
#endif
            }
        } except(EXCEPTION_EXECUTE_HANDLER) {
            ImageInfo.ImageSize = 0;
        }

        ImageInfo.ImageSelector = 0;
        ImageInfo.ImageSectionNumber = 0;

        RtlInitUnicodeString (&UnicodeFileName,
                              L"\\SystemRoot\\System32\\ntdll.dll");
        PsCallImageNotifyRoutines (&UnicodeFileName,
                                   Process->UniqueProcessId,
                                   &ImageInfo);
    }


    Port = Process->DebugPort;

    if (Port == NULL) {
        return;
    }

    //
    // Make sure we only get one create process message
    //

    if ((OldFlags&PS_PROCESS_FLAGS_CREATE_REPORTED) == 0) {

        //
        // This is a create process
        //

        CreateThreadArgs = &m.u.CreateProcessInfo.InitialThread;
        CreateThreadArgs->SubSystemKey = 0;

        CreateProcessArgs = &m.u.CreateProcessInfo;
        CreateProcessArgs->SubSystemKey = 0;
        CreateProcessArgs->FileHandle = DbgkpSectionToFileHandle(
                                            Process->SectionObject
                                            );
        CreateProcessArgs->BaseOfImage = Process->SectionBaseAddress;
        CreateThreadArgs->StartAddress = NULL;
        CreateProcessArgs->DebugInfoFileOffset = 0;
        CreateProcessArgs->DebugInfoSize = 0;

        try {
                        
            NtHeaders = RtlImageNtHeader(Process->SectionBaseAddress);

            if ( NtHeaders ) {

#if defined(_WIN64)
                if (Wow64Process != NULL) {
                    CreateThreadArgs->StartAddress = UlongToPtr (DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER ((PIMAGE_NT_HEADERS32)NtHeaders, ImageBase) +
                        DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER ((PIMAGE_NT_HEADERS32)NtHeaders, AddressOfEntryPoint));
                } else {
#endif
                    CreateThreadArgs->StartAddress = (PVOID) (DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER (NtHeaders, ImageBase) +
                        DBGKP_FIELD_FROM_IMAGE_OPTIONAL_HEADER (NtHeaders, AddressOfEntryPoint));
#if defined(_WIN64)
                }
#endif

                //
                // The following fields are safe for Wow64 as the offsets
                // are the same for a PE32+ as a PE32 header.
                //
                
                CreateProcessArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
                CreateProcessArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
            }
        } except (EXCEPTION_EXECUTE_HANDLER) {
            CreateThreadArgs->StartAddress = NULL;
            CreateProcessArgs->DebugInfoFileOffset = 0;
            CreateProcessArgs->DebugInfoSize = 0;
        }

        DBGKM_FORMAT_API_MSG(m,DbgKmCreateProcessApi,sizeof(*CreateProcessArgs));

        DbgkpSendApiMessage(&m,FALSE);

        if (CreateProcessArgs->FileHandle != NULL) {
            ObCloseHandle(CreateProcessArgs->FileHandle, KernelMode);
        }

        LoadDllArgs = &m.u.LoadDll;
        LoadDllArgs->BaseOfDll = PsSystemDllBase;
        LoadDllArgs->DebugInfoFileOffset = 0;
        LoadDllArgs->DebugInfoSize = 0;
        LoadDllArgs->NamePointer = NULL;

        Teb = NULL;
        try {
            NtHeaders = RtlImageNtHeader(PsSystemDllBase);
            if ( NtHeaders ) {
                LoadDllArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
                LoadDllArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
            }

            //
            // Normaly the ntdll loaded fills in this pointer for the debug API's. We fake it here
            // as ntdll isn't loaded yet and it can't load itself.
            //

            Teb = Thread->Tcb.Teb;
            if (Teb != NULL) {
                wcsncpy (Teb->StaticUnicodeBuffer,
                         L"ntdll.dll",
                         sizeof (Teb->StaticUnicodeBuffer) / sizeof (Teb->StaticUnicodeBuffer[0]));
                Teb->NtTib.ArbitraryUserPointer = Teb->StaticUnicodeBuffer;
                LoadDllArgs->NamePointer = &Teb->NtTib.ArbitraryUserPointer;
            }
            
        } except (EXCEPTION_EXECUTE_HANDLER) {
            LoadDllArgs->DebugInfoFileOffset = 0;
            LoadDllArgs->DebugInfoSize = 0;
            LoadDllArgs->NamePointer = NULL;
        }

        //
        // Send load dll section for NT dll !
        //

        InitializeObjectAttributes(
            &Obja,
            (PUNICODE_STRING)&PsNtDllPathName,
            OBJ_CASE_INSENSITIVE | OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE,
            NULL,
            NULL
            );

        Status = ZwOpenFile(
                    &LoadDllArgs->FileHandle,
                    (ACCESS_MASK)(GENERIC_READ | SYNCHRONIZE),
                    &Obja,
                    &IoStatusBlock,
                    FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
                    FILE_SYNCHRONOUS_IO_NONALERT
                    );

        if (!NT_SUCCESS (Status)) {
            LoadDllArgs->FileHandle = NULL;
        }

        DBGKM_FORMAT_API_MSG(m,DbgKmLoadDllApi,sizeof(*LoadDllArgs));
        DbgkpSendApiMessage(&m,TRUE);

        if (LoadDllArgs->FileHandle != NULL) {
            ObCloseHandle(LoadDllArgs->FileHandle, KernelMode);
        }

        try {
            if (Teb != NULL) {
                Teb->NtTib.ArbitraryUserPointer = NULL;
            }
        } except (EXCEPTION_EXECUTE_HANDLER) {
        }

    } else {

        CreateThreadArgs = &m.u.CreateThread;
        CreateThreadArgs->SubSystemKey = 0;
        CreateThreadArgs->StartAddress = StartAddress;

        DBGKM_FORMAT_API_MSG (m,DbgKmCreateThreadApi,sizeof(*CreateThreadArgs));

        DbgkpSendApiMessage (&m,TRUE);
    }
}


//退出线程信息
VOID
DbgkExitThread(
    NTSTATUS ExitStatus
    )

/*++

Routine Description:

    This function is called when a new thread terminates. At this
    point, the thread will no longer execute in user-mode. No other
    exit processing has occured.

    If a message is sent, then while the thread is awaiting a reply,
    all other threads in the process are suspended.

Arguments:

    ExitStatus - Supplies the ExitStatus of the exiting thread.

Return Value:

    None.

--*/

{
    PVOID Port;
    DBGKM_APIMSG m;
    PDBGKM_EXIT_THREAD args;
    PEPROCESS Process;
    BOOLEAN Frozen;

    PAGED_CODE();

    Process = PsGetCurrentProcess();
    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_HIDEFROMDBG) {
        Port = NULL;
    } else {
        Port = Process->DebugPort;
    }

    if ( !Port ) {
        return;
    }

    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_DEADTHREAD) {
        return;
    }

    args = &m.u.ExitThread;
    args->ExitStatus = ExitStatus;

    DBGKM_FORMAT_API_MSG(m,DbgKmExitThreadApi,sizeof(*args));

    Frozen = DbgkpSuspendProcess();

    DbgkpSendApiMessage(&m,FALSE);

    if (Frozen) {
        DbgkpResumeProcess();
    }
}

//退出进程信息
VOID
DbgkExitProcess(
    NTSTATUS ExitStatus
    )

/*++

Routine Description:

    This function is called when a process terminates. The address
    space of the process is still intact, but no threads exist in
    the process.

Arguments:

    ExitStatus - Supplies the ExitStatus of the exiting process.

Return Value:

    None.

--*/

{
    PVOID Port;
    DBGKM_APIMSG m;
    PDBGKM_EXIT_PROCESS args;
    PEPROCESS Process;

    PAGED_CODE();

    Process = PsGetCurrentProcess();

    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_HIDEFROMDBG) {
        Port = NULL;
    } else {
        Port = Process->DebugPort;
    }

    if ( !Port ) {
        return;
    }

    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_DEADTHREAD) {
        return;
    }

    //
    // this ensures that other timed lockers of the process will bail
    // since this call is done while holding the process lock, and lock duration
    // is controlled by debugger
    //
    KeQuerySystemTime(&Process->ExitTime);

    args = &m.u.ExitProcess;
    args->ExitStatus = ExitStatus;

    DBGKM_FORMAT_API_MSG(m,DbgKmExitProcessApi,sizeof(*args));

    DbgkpSendApiMessage(&m,FALSE);

}

//加载DLL信息
VOID
DbgkMapViewOfSection(
    IN PVOID SectionObject,
    IN PVOID BaseAddress,
    IN ULONG SectionOffset,
    IN ULONG_PTR ViewSize
    )

/*++

Routine Description:

    This function is called when the current process successfully
    maps a view of an image section. If the process has an associated
    debug port, then a load dll message is sent.

Arguments:

    SectionObject - Supplies a pointer to the section mapped by the
        process.

    BaseAddress - Supplies the base address of where the section is
        mapped in the current process address space.

    SectionOffset - Supplies the offset in the section where the
        process' mapped view begins.

    ViewSize - Supplies the size of the mapped view.

Return Value:

    None.

--*/

{

    PVOID Port;
    DBGKM_APIMSG m;
    PDBGKM_LOAD_DLL LoadDllArgs;
    PEPROCESS Process;
    PIMAGE_NT_HEADERS NtHeaders;

    PAGED_CODE();

    UNREFERENCED_PARAMETER (SectionOffset);
    UNREFERENCED_PARAMETER (ViewSize);

    if ( KeGetPreviousMode() == KernelMode ) {
        return;
    }

    Process = PsGetCurrentProcess();

    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_HIDEFROMDBG) {
        Port = NULL;
    } else {
        Port = Process->DebugPort;
    }

    if ( !Port ) {
        return;
    }

    LoadDllArgs = &m.u.LoadDll;
    LoadDllArgs->FileHandle = DbgkpSectionToFileHandle(SectionObject);
    LoadDllArgs->BaseOfDll = BaseAddress;
    LoadDllArgs->DebugInfoFileOffset = 0;
    LoadDllArgs->DebugInfoSize = 0;

    //
    // The loader fills in the module name in this pointer before mapping
    // the section.  It's a very poor linkage.
    //

    LoadDllArgs->NamePointer = &NtCurrentTeb()->NtTib.ArbitraryUserPointer;

    try {

        NtHeaders = RtlImageNtHeader (BaseAddress);

        if (NtHeaders != NULL) {
            LoadDllArgs->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
            LoadDllArgs->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
        }

    } except (EXCEPTION_EXECUTE_HANDLER) {

        LoadDllArgs->DebugInfoFileOffset = 0;
        LoadDllArgs->DebugInfoSize = 0;
        LoadDllArgs->NamePointer = NULL;

    }

    DBGKM_FORMAT_API_MSG(m,DbgKmLoadDllApi,sizeof(*LoadDllArgs));

    DbgkpSendApiMessage(&m,TRUE);
    if (LoadDllArgs->FileHandle != NULL) {
        ObCloseHandle(LoadDllArgs->FileHandle, KernelMode);
    }
}

//卸载DLL信息
VOID
DbgkUnMapViewOfSection(
    IN PVOID BaseAddress
    )

/*++

Routine Description:

    This function is called when the current process successfully
    un maps a view of an image section. If the process has an associated
    debug port, then an "unmap view of section" message is sent.

Arguments:

    BaseAddress - Supplies the base address of the section being unmapped.

Return Value:

    None.

--*/

{

    PVOID Port;
    DBGKM_APIMSG m;
    PDBGKM_UNLOAD_DLL UnloadDllArgs;

    PAGED_CODE();

    if ( KeGetPreviousMode() == KernelMode ) {
        return;
    }

    if (PsGetCurrentThread()->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_HIDEFROMDBG) {
        Port = NULL;
    } else {
        Port = PsGetCurrentProcess()->DebugPort;
    }

    if ( !Port ) {
        return;
    }

    UnloadDllArgs = &m.u.UnloadDll;
    UnloadDllArgs->BaseAddress = BaseAddress;

    DBGKM_FORMAT_API_MSG(m,DbgKmUnloadDllApi,sizeof(*UnloadDllArgs));

    DbgkpSendApiMessage(&m,TRUE);
}

 

  

 

转载于:https://www.cnblogs.com/testvt/p/5677073.html

weixin_30916125
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
执行体线程--ETHREAD
BpLife
12-09 2608
typedef struct _ETHREAD { KTHREAD Tcb;//内嵌了KTHREAD对象作为第一个数据成员 LARGE_INTEGER CreateTime;//包含了线程创建时间,他是在线程创建时被赋值的。 union { LARGE_INTEGER ExitTime;//包含了线程的退出时间, LIST_ENTRY L
进程防结束之PS_CROSS_THREAD_FLAGS_SYSTEM
求索
02-03 1835
有人投到黑防去了,不过黑防不厚道,竟然没给完整的代码,自己整理一份备用吧,驱网、DebugMan、邪八的那群人直接飘过吧。 这种方法的关键在于给线程的ETHREAD.CrossThreadFlags设置PS_CROSS_THREAD_FLAGS_SYSTEM值,这样其它进程就无法结束它了,包括IceSword、RkU。至于原理,那就先看看wrk里结束进程的那几个内核函数源码,NtTerminat
线程创建过程
一蓑烟雨任平生
09-23 1510
用户态创建线程 无论是进程还是线程,在内核里面都是任务,管起来不是都一样吗?但是问题来了,如果两个完全一样,那为什么咱们前两节写的程序差别那么大?如果不一样,那怎么在内核里面加以区分呢? 其实,线程不是一个完全由内核实现的机制,它是由内核态和用户态合作完成的。pthread_create 不是一个系统调用,是 Glibc 库的一个函数,所以我们还要去 Glibc 里面去找线索。 果然,我们在 nptl/pthread_create.c 里面找到了这个函数。这里的参数我们应该比较熟悉了。 n...
创建线程的步骤
m0_69844718的博客
12-06 223
1、定义类实现Runnable接口。2、覆盖接口中的run方法。。3、创建Thread类的对象4、将Runnable接口的子类对象作为参数传递给Thread类的构造函数。5、调用Thread类的start方法开启线程
线程创建
hdughy的博客
08-27 257
线程创建和启用: 创建线程的方法: 1、继承ThreadThread类的特性: 1、每个线程都是通过某个特定Thread对象的run()方法来完成操作的,经常把run()方法的主体称为线程体。 2、通过该Thread对象的start()方法来启动这个线程,而非直接调用run()。 步骤: 1、定义子线程类继承Thread类。 2、子线程类中重写Thread类中的run方法。 3、创建Thread线程类对象。 4、调用子线程对象start方法:①启动新线程;②调用当前线程r.
python程序 创建线程过程详解
09-18
本文将深入探讨如何在Python程序中创建线程,以及线程模块的选择和使用。 首先,Python提供两个主要的线程模块:`thread`和`threading`。`thread`模块是最基础的,它提供了线程和锁的基本支持,但功能相对有限。...
易语言创建线程
07-23
9. **线程池**:线程池是一种优化线程创建和销毁开销的技术,预先创建一组线程,当需要时从中分配,用完后归还。易语言可能通过封装系统API实现线程池功能。 在学习和应用易语言创建线程过程中,理解这些基本概念...
android使用handlerthread创建线程示例
09-04
1. 提供了内置的`Looper`,简化了线程与主线程通信的过程。 2. 可以更好地管理线程生命周期,避免无限制地创建匿名线程。 3. 允许在子线程中进行长时间运行的操作,而不阻塞主线程,提高用户体验。 总之,`...
易语言创建线程
07-20
"启动类线程"是创建并运行类线程过程。在易语言中,通常会定义一个类,然后在类中实现线程函数。当调用启动类线程的函数或方法时,易语言会创建一个新的线程实例,并在该线程上执行类中定义的线程函数。 "关闭类...
driver_thread.zip_驱动创建线程
09-19
让我们深入探讨一下驱动程序中的线程创建以及相关知识点。 驱动程序创建线程的主要目的是为了实现异步操作,即在执行I/O操作时,不阻塞系统调用,提高系统的响应速度。线程可以独立于驱动程序的主要执行流运行,...
关于Windows创建进程的过程
aijuzhou1959的博客
03-11 678
之前有听到别人的面试题是问系统创建进程的具体过程是什么,首先想到的是CreateProcess,但是对于具体过程却不是很清楚,今天整理一下。 从操作系统的角度来说 创建进程步骤: 1.申请进程块 2.为进程分配内存资源 3.初始化进程块 4.将进程块链入就绪队列 课本上的知识。。。 从CreateProce...
线程创建方式
weixin_46760166的博客
09-19 8884
1、继承 Tread类, 重写 run方法2、实现 Runnable接口,实现 run方法3、实现 Callable接口,实现 call方法,该方式可以获取线程的执行结果。
线程创建方式的三种方式
页页的博客
03-02 1110
三种线程创建方式 继承Thread类重写run方法:需要调用start方法就绪 实现Runnable接口的run方法 使用Callable和Future创建线程 继承Thread类重写run方法 过程创建实例,此时该线程未被启动执行。 调用该实例的start方法启动线程,达到就绪状态(已经获取了除CPU资源的其他资源),等待获取CPU资源才会处于运行状态。 run方法执行完毕,线程处于终止状态。 优势,劣势: 线程创建方式 过程 优势 劣势 继承Thread类重写run方法 1)
TEB(线程环境块)学习
weixin_44156885的博客
09-11 5048
文章目录TEBTEB结构中的两个重要成员NtTib成员PEB成员PEB.BeingDebuggedPEB.ImageBaseAddressPEB.LdrPEB.ProcessHeap & PEB.NtGolbalFlag TEB TEB结构中的两个重要成员 +0x000 NtTib :_NT_TIB . . . +0x30 ProcessEnvironmentBlock ...
创建线程的七种方法 (图解 全网最全最详细)
Xiang想
05-14 3104
1、继承Thread;2、实现Runnable;3、实现Callable接口;4、创建线程池;5、Timer定时器;6、Lambda jdk1.8新特性Stream流之并行流;7、Spring实现多线程
利用ObRegisterCallbacks保护进程并附上突破ObRegisterCallbacks的方法[未更新]
zhuhuibeishadiao
05-02 9208
写上未更新的原因是我觉得 当初写这篇文章的时候理解的还是不够彻底,现在又了新的认识,待老夫有时间的时候在来重写一次 这里附上新的突破方法 我已经我写的时候已经写上了 今天发到博客的时候才发现没写,来补上 可以看我发到梦老大论坛的帖子,直接看第三种方法就行,前面两种我都服了,这样获取对象类型,太年轻啊 http://www.mengwuji.net/forum.php?mod=viewthr
创建线程的四种方法
m0_64886876的博客
08-24 249
java创建线程的四种方式
ObReferenceObjectByHandle内核函数
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
05-07 1499
大槪就是看这个句柄是当前进程的句柄还是当前线程的句柄,最后再看看这AccessMode是内核还是用户态下,内核的话,句柄表就用ObpKernelHandleTable,用户态的话就用当前进程的句柄表 NTSTATUS ObReferenceObjectByHandle (     __in HANDLE Handle,     __in ACCESS_MASK DesiredAccess,
DSP任务线程创建过程
最新发布
05-22
DSP(数字信号处理器)任务线程创建过程如下: 1. 创建线程:使用操作系统提供的线程API(例如pthread_create())创建一个新的线程。 2. 设置线程属性:设置线程的属性,例如优先级、栈大小等。 3. 分配内存:...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值