1、
CreateProcess()
WIN32API函数CreateProcess用来创建一个新的进程和它的主线程,这个新进程运行指定的可执行文件。
BOOL CreateProcess
(
LPCTSTRlpApplicationName,
LPTSTRlpCommandLine,
LPSECURITY_ATTRIBUTESlpProcessAttributes。
LPSECURITY_ATTRIBUTESlpThreadAttributes,
BOOLbInheritHandles,
DWORDdwCreationFlags,
LPVOIDlpEnvironment,
LPCTSTRlpCurrentDirectory,
LPSTARTUPINFOlpStartupInfo,
LPPROCESS_INFORMATIONlpProcessInformation
);
2、 DebugActiveProcess()
Enables a debugger to attach to an active process and debug it.
BOOL WINAPI DebugActiveProcess(
_In_ DWORDdwProcessId
);
3、ContinueDebugEvent
This function enables a debugger to continue a thread that previously reported a debugging event.
BOOL ContinueDebugEvent(
DWORD dwProcessId,
DWORD dwThreadId,
DWORD dwContinueStatus );
4、 WaitForDebugEvent
This function waits for a debugging event to occur in a process being debugged
BOOL WaitForDebugEvent(
LPDEBUG_EVENT lpDebugEvent,
DWORD dwMilliseconds
);
5、CreateRemoteThread
远程线程是Win2000以上才支持的技术。简单来讲,CreateRemoteThread函数会在其他进程中创建一个线程,执行指定的代码。因为这个线程并非在调用进程之中,而是在其他进程,因此称之为远程线程(Remote Thread)。CreateRemoteThread的原型如下:
HANDLE WINAPI CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
虽然概念上非常简单,但是使用CreateRemoteThread还会有一些问题:
a.lpStartAddress必须是其他进程的地址,但是我们又如何把代码放到另外一个进程中呢?幸运的是,有两个函数可以做到这一点:VirtualAllocEx和WriteProcessMemory,前者可以在指定进程中分配一块内存,WriteProcessMemory可以修改指定进程的代码。因此,先调用VirtualAllocEx在指定进程中分配内存,再调用WriteProcessMemory将代码写入到分配好的内存中,再调用CreateRemoteThread创建远程线程执行在事先准备好的代码。
b.此外,这些代码必须得是自重定位的代码。
6、ReadProcessMemory
This function reads memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
);
7、WriteProcessMemory
此函数能写入某一进程的内存区域。入口区必须可以访问,否则操作将失败。
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesWritten
);
8、FlushInstructionCache()
Flushes the instruction cache for the specified process
BOOL WINAPI FlushInstructionCache(
_In_ HANDLEhProcess,
_In_ LPCVOIDlpBaseAddress,
_In_ SIZE_T dwSize
);
9、GetThreadContext
查看线程内核对象的内部,并获取当前CPU寄存器状态的集合。
BOOL GetThreadContext (
HANDLE hThread,
PCONTEXT pContext);
在调用GetThreadContext函数之前,应该调用SuspendThread,否则,线程可能刚好被调度,这样一来,线程的上下文就和所获取的信息不一致了。
CONTEXT结构包括以下部分:
CONTEXT_CONTROL:包含CPU的控制寄存器,比如指今指针,堆栈指针,标志和函数返回地址..AX, BX, CX, DX, SI, D
CONTEXT_INTEGER:用于标识CPU的整数寄存器.DS, ES, FS, GS
CONTEXT_FLOATING_POINT:用于标识CPU的浮点寄存器.
CONTEXT_SEGMENTS:用于标识CPU的段寄存器.SS:SP, CS:IP, FLAGS, BP
CONTEXT_DEBUG_REGISTER:用于标识CPU的调试寄存器.
CONTEXT_EXTENDED_REGISTERS:用于标识CPU的扩展寄存器I
CONTEXT_FULL:相当于CONTEXT_CONTROL or CONTEXT_INTEGER or CONTEXT_SEGMENTS,即这三个标志的组合
10、SetThreadContext
改变结构中的成员,并把新的寄存器值放回线程的内核对象中
BOOL SetThreadContext (
HANDLE hThread,
CONST CONTEXT *pContext);
同样,如果要改变哪个线程的上下文,应该先暂停该线程。
11、SuspendThread和ResumeThread
操作系统对线程有几种状态的变化:执行,挂起和恢复执行。
当线程做完任务或者现在想暂停线程运行,就需要使用SuspendThread来暂停线程的执行,当然恢复线程的执行就是使用ResumeThread函数了。
WINBASEAPIDWORDWINAPI
SuspendThread(
__in HANDLE hThread
);
WINBASEAPIDWORDWINAPI
ResumeThread(
__in HANDLE hThread
);
12、GetThreadPriority
Retrieves the priority value for the specified thread. This value, together with the priority class of the thread's process, determines the thread's base-priority level.
int WINAPI GetThreadPriority(
_In_ HANDLEhThread
);
13、ExitProcess
Ends the calling process and all its threads.
VOID WINAPI ExitProcess(
_In_ UINTuExitCode
);
14、TerminateProcess
终止指定进程及其所有线程
BOOL TerminateProcess(
HANDLE hProcess,//进程句柄
UINT uExitCode //进程终止码
);
15、TerminateThread
This function stops the specified thread
BOOL TerminateThread(
HANDLE hThread,
DWORD dwExitCode
);
16、VirtualQueryEx
查询地址空间中内存地址的信息。
DWORD VirtualQueryEx(
HANDLE hProcess,
LPCVOID lpAddress,
PMEMORY_BASIC_INFORMATION lpBuffer,
DWORD dwLength
);
17、VirtualProtectEx
Changes the protection on a region of committed pages in the virtual address space of a specified process.
BOOL WINAPI VirtualProtectEx(
_In_ HANDLE hProcess,
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORDlpflOldProtect
);
WIN32API函数CreateProcess用来创建一个新的进程和它的主线程,这个新进程运行指定的可执行文件。
BOOL CreateProcess
(
LPCTSTRlpApplicationName,
LPTSTRlpCommandLine,
LPSECURITY_ATTRIBUTESlpProcessAttributes。
LPSECURITY_ATTRIBUTESlpThreadAttributes,
BOOLbInheritHandles,
DWORDdwCreationFlags,
LPVOIDlpEnvironment,
LPCTSTRlpCurrentDirectory,
LPSTARTUPINFOlpStartupInfo,
LPPROCESS_INFORMATIONlpProcessInformation
);
2、 DebugActiveProcess()
Enables a debugger to attach to an active process and debug it.
BOOL WINAPI DebugActiveProcess(
_In_ DWORDdwProcessId
);
3、ContinueDebugEvent
This function enables a debugger to continue a thread that previously reported a debugging event.
BOOL ContinueDebugEvent(
DWORD dwProcessId,
DWORD dwThreadId,
DWORD dwContinueStatus );
4、 WaitForDebugEvent
This function waits for a debugging event to occur in a process being debugged
BOOL WaitForDebugEvent(
LPDEBUG_EVENT lpDebugEvent,
DWORD dwMilliseconds
);
5、CreateRemoteThread
远程线程是Win2000以上才支持的技术。简单来讲,CreateRemoteThread函数会在其他进程中创建一个线程,执行指定的代码。因为这个线程并非在调用进程之中,而是在其他进程,因此称之为远程线程(Remote Thread)。CreateRemoteThread的原型如下:
HANDLE WINAPI CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
虽然概念上非常简单,但是使用CreateRemoteThread还会有一些问题:
a.lpStartAddress必须是其他进程的地址,但是我们又如何把代码放到另外一个进程中呢?幸运的是,有两个函数可以做到这一点:VirtualAllocEx和WriteProcessMemory,前者可以在指定进程中分配一块内存,WriteProcessMemory可以修改指定进程的代码。因此,先调用VirtualAllocEx在指定进程中分配内存,再调用WriteProcessMemory将代码写入到分配好的内存中,再调用CreateRemoteThread创建远程线程执行在事先准备好的代码。
b.此外,这些代码必须得是自重定位的代码。
6、ReadProcessMemory
This function reads memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
);
7、WriteProcessMemory
此函数能写入某一进程的内存区域。入口区必须可以访问,否则操作将失败。
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesWritten
);
8、FlushInstructionCache()
Flushes the instruction cache for the specified process
BOOL WINAPI FlushInstructionCache(
_In_ HANDLEhProcess,
_In_ LPCVOIDlpBaseAddress,
_In_ SIZE_T dwSize
);
9、GetThreadContext
查看线程内核对象的内部,并获取当前CPU寄存器状态的集合。
BOOL GetThreadContext (
HANDLE hThread,
PCONTEXT pContext);
在调用GetThreadContext函数之前,应该调用SuspendThread,否则,线程可能刚好被调度,这样一来,线程的上下文就和所获取的信息不一致了。
CONTEXT结构包括以下部分:
CONTEXT_CONTROL:包含CPU的控制寄存器,比如指今指针,堆栈指针,标志和函数返回地址..AX, BX, CX, DX, SI, D
CONTEXT_INTEGER:用于标识CPU的整数寄存器.DS, ES, FS, GS
CONTEXT_FLOATING_POINT:用于标识CPU的浮点寄存器.
CONTEXT_SEGMENTS:用于标识CPU的段寄存器.SS:SP, CS:IP, FLAGS, BP
CONTEXT_DEBUG_REGISTER:用于标识CPU的调试寄存器.
CONTEXT_EXTENDED_REGISTERS:用于标识CPU的扩展寄存器I
CONTEXT_FULL:相当于CONTEXT_CONTROL or CONTEXT_INTEGER or CONTEXT_SEGMENTS,即这三个标志的组合
10、SetThreadContext
改变结构中的成员,并把新的寄存器值放回线程的内核对象中
BOOL SetThreadContext (
HANDLE hThread,
CONST CONTEXT *pContext);
同样,如果要改变哪个线程的上下文,应该先暂停该线程。
11、SuspendThread和ResumeThread
操作系统对线程有几种状态的变化:执行,挂起和恢复执行。
当线程做完任务或者现在想暂停线程运行,就需要使用SuspendThread来暂停线程的执行,当然恢复线程的执行就是使用ResumeThread函数了。
WINBASEAPIDWORDWINAPI
SuspendThread(
__in HANDLE hThread
);
WINBASEAPIDWORDWINAPI
ResumeThread(
__in HANDLE hThread
);
12、GetThreadPriority
Retrieves the priority value for the specified thread. This value, together with the priority class of the thread's process, determines the thread's base-priority level.
int WINAPI GetThreadPriority(
_In_ HANDLEhThread
);
13、ExitProcess
Ends the calling process and all its threads.
VOID WINAPI ExitProcess(
_In_ UINTuExitCode
);
14、TerminateProcess
终止指定进程及其所有线程
BOOL TerminateProcess(
HANDLE hProcess,//进程句柄
UINT uExitCode //进程终止码
);
15、TerminateThread
This function stops the specified thread
BOOL TerminateThread(
HANDLE hThread,
DWORD dwExitCode
);
16、VirtualQueryEx
查询地址空间中内存地址的信息。
DWORD VirtualQueryEx(
HANDLE hProcess,
LPCVOID lpAddress,
PMEMORY_BASIC_INFORMATION lpBuffer,
DWORD dwLength
);
17、VirtualProtectEx
Changes the protection on a region of committed pages in the virtual address space of a specified process.
BOOL WINAPI VirtualProtectEx(
_In_ HANDLE hProcess,
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORDlpflOldProtect
);
扫一扫
285
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
