这两个结构究竟谁是正确的?

RLib 2012-02-01 03:41:59

问题1>



typedef struct _INITIAL_TEB

{

	PVOID PreviousStackBase;

	PVOID PreviousStackLimit;

	PVOID StackBase;

	PVOID StackLimit;

	PVOID AllocatedStackBase;

} INITIAL_TEB, *PINITIAL_TEB;





typedef struct _INITIAL_TEB {

  PVOID                StackBase;

  PVOID                StackLimit;

  PVOID                StackCommit;

  PVOID                StackCommitMax;

  PVOID                StackReserved;

} INITIAL_TEB, *PINITIAL_TEB;

如AllocatedStackBase和StackReserved名称有歧义.

哪个定义比较准确呢?

问题2>



HANDLE APIENTRY CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, DWORD dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)

{

	NTSTATUS Status;

	OBJECT_ATTRIBUTES Obja;

	POBJECT_ATTRIBUTES pObja;

	HANDLE Handle;

	CONTEXT ThreadContext;

	INITIAL_TEB InitialTeb;

	CLIENT_ID ClientId;



	// Allocate a stack for this thread

	Status = BaseCreateStack(hProcess, dwStackSize, 0L, &InitialTeb );



	// Create an initial context

	BaseInitializeContext( &ThreadContext, lpParameter, (PVOID)lpStartAddress, InitialTeb.StackBase, BaseContextTypeThread);



	pObja = BaseFormatObjectAttributes(&Obja, lpThreadAttributes, NULL);



	Status = NtCreateThread( &Handle, THREAD_ALL_ACCESS, pObja, hProcess, &ClientId, &ThreadContext, &InitialTeb, TRUE ); 

}

NtCreateThread究竟怎么使用?
我找不到BaseCreateStack、BaseContextTypeThread、BaseFormatObjectAttributes的定义。

...全文

626 29 打赏收藏转发到动态举报

写回复

用AI写文章

29 条回复

切换为时间正序

请发表友善的回复…

发表回复

有舍有得 2012-02-01

打赏
举报

结构是一样, 但成员名称不一样, 有歧义。

Lactoferrin 2012-02-01

打赏
举报

HANDLE
BaseGetNamedObjectDirectory(
VOID
)
{
OBJECT_ATTRIBUTES Obja;
NTSTATUS Status;
UNICODE_STRING RestrictedObjectDirectory; // BUGBUG this should not be hardcoded
ACCESS_MASK DirAccess = DIRECTORY_ALL_ACCESS &
~(DELETE | WRITE_DAC | WRITE_OWNER);
HANDLE hRootNamedObject;

RtlAcquirePebLock();

if ( !BaseNamedObjectDirectory ) {

BASE_READ_REMOTE_STR_TEMP(TempStr);
InitializeObjectAttributes( &Obja,
BASE_READ_REMOTE_STR(BaseStaticServerData->NamedObjectDirectory, TempStr),
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

Status = NtOpenDirectoryObject( &BaseNamedObjectDirectory,
DirAccess,
&Obja
);

// if the intial open failed, try again with just traverse, and
// open the restricted subdirectory

if ( !NT_SUCCESS(Status) ) {
Status = NtOpenDirectoryObject( &hRootNamedObject,
DIRECTORY_TRAVERSE,
&Obja
);
if ( NT_SUCCESS(Status) ) {
RtlInitUnicodeString( &RestrictedObjectDirectory, L"Restricted");

InitializeObjectAttributes( &Obja,
&RestrictedObjectDirectory,
OBJ_CASE_INSENSITIVE,
hRootNamedObject,
NULL
);
Status = NtOpenDirectoryObject( &BaseNamedObjectDirectory,
DirAccess,
&Obja
);
NtClose( hRootNamedObject );
}

if ( !NT_SUCCESS(Status) ) {
BaseNamedObjectDirectory = NULL;
}
}
}
RtlReleasePebLock();
return BaseNamedObjectDirectory;
}

Lactoferrin 2012-02-01

打赏
举报

VOID
BaseInitializeContext (
OUT PCONTEXT Context,
IN PVOID Parameter OPTIONAL,
IN PVOID InitialPc OPTIONAL,
IN PVOID InitialSp OPTIONAL,
IN BASE_CONTEXT_TYPE ContextType
)

{
ULONG temp;
PPEB Peb;

Peb = NtCurrentPeb();

//
// Initialize the control registers.
// So that the thread begins at BaseThreadStart
//

RtlZeroMemory((PVOID)Context, sizeof(CONTEXT));
Context->IntGp = 1;
Context->IntSp = (ULONGLONG)(LONG_PTR)InitialSp;
Context->IntRa = 1;
Context->ContextFlags = CONTEXT_FULL;
if ( ContextType != BaseContextTypeProcess ) {
if ( ContextType == BaseContextTypeThread ) {
Context->Fir = (ULONGLONG)(LONG_PTR)BaseThreadStart;
} else {
Context->Fir = (ULONGLONG)(LONG_PTR)BaseFiberStart;
}
Context->IntA0 = (ULONGLONG)(LONG_PTR)InitialPc;
Context->IntA1 = (ULONGLONG)(LONG_PTR)Parameter;
Context->IntGp = (ULONGLONG)(LONG_PTR)RtlImageDirectoryEntryToData(
Peb->ImageBaseAddress,
TRUE,
IMAGE_DIRECTORY_ENTRY_GLOBALPTR,
&temp
);
}
else {
Context->Fir = (ULONGLONG)(LONG_PTR)BaseProcessStart;
Context->IntA0 = (ULONGLONG)(LONG_PTR)InitialPc;
}
}

RLib 2012-02-01

打赏
举报

[Quote=引用 24 楼 pathuang68 的回复:]

引用 22 楼 rrrfff 的回复:

windows头文件中结构的定义很多是Reserved,真是头疼.

未公开的东东除非十分必要最好不要用
[/Quote]

对啊，不过我需要封装一个纯Native API实现的Thread类

RLib 2012-02-01

打赏
举报

总算编译通过了
BaseInitializeContext
BaseGetNamedObjectDirectory
还差这两个没法链接通过（又要麻烦列宁大叔给代码了，谢谢虽然200分不多。。。。）

Lactoferrin 2012-02-01

打赏
举报

有的是真Reserved

pathuang68 2012-02-01

打赏
举报

[Quote=引用 22 楼 rrrfff 的回复:]

windows头文件中结构的定义很多是Reserved,真是头疼.
[/Quote]

未公开的东东除非十分必要最好不要用

RLib 2012-02-01

打赏
举报

windows头文件中结构的定义很多是Reserved,真是头疼.

Lactoferrin 2012-02-01

打赏
举报

其实你用不到这些
这是我用powerbasic弄的代码



Function CreateUserProcess(ByRef FileName As String,ByRef CommandLine As String,ByVal InheritedProcessId As ULONG_PTR,ByVal Wait As Long) As ULONG_PTR

Dim ProcessHandle As ULONG_PTR,SectionHandle As ULONG_PTR,FileHandle As ULONG_PTR,Status As ULONG_PTR,ObjectAttributes As OBJECT_ATTRIBUTES,ObjectName As UNICODE_STRING,IoStatusBlock As IO_STATUS_BLOCK,sii As SECTION_IMAGE_INFORMATION,_

RegionSize As Dword,UserStack As USER_STACK,BaseAddress As Dword,ThreadContext As Context,ClientID As CLIENT_ID,ThreadHandle As ULONG_PTR,CmdLineDes As UNICODE_STRING,ProcessParameters As PROCESS_PARAMETERS Ptr,Environment As Word Ptr,Position As Word _

Ptr,_

pbi As PROCESS_BASIC_INFORMATION,r As Dword,ProtectSize As Dword,OldProtect As Dword,ApiMessage As CSR_API_MESSAGE,InheritedProcess As Dword

FileName=UCode$(FileName)

ObjectName.Length=Len(FileName)

ObjectName.MaximumLength=ObjectName.Length

ObjectName.Buffer=StrPtr(FileName)

ObjectAttributes.Length=Len(OBJECT_ATTRIBUTES)

If InheritedProcessId<>0 Then

ClientId.ProcessId=InheritedProcessId

ClientId.ThreadId=0

Status=NtOpenProcess(InheritedProcess,&H080,ObjectAttributes,ClientId)

Else

InheritedProcess=-1

End If

ObjectAttributes.ObjectName=VarPtr(ObjectName)

Status=NtOpenFile(FileHandle,1 Or 32 Or &H00100000,ObjectAttributes,IoStatusBlock,1,32)

If Status<>0 Then Function=Status:Exit Function

ObjectAttributes.ObjectName=0

Status=NtCreateSection(SectionHandle,&H0F001F,ObjectAttributes,ByVal 0,&H020,&H01000000,FileHandle)

If Status<>0 Then Function=Status:Exit Function

Status=NtQuerySection(SectionHandle,1,sii,Len(SECTION_IMAGE_INFORMATION),ByVal 0)

If Status<>0 Then Function=Status:Exit Function

Status=NtCreateProcessEx(ProcessHandle,2035711,ObjectAttributes,InheritedProcess,0,SectionHandle,0,0,0)

If Status<>0 Then Function=Status:Exit Function

Status=NtQueryInformationProcess(ProcessHandle,0,pbi,Len(PROCESS_BASIC_INFORMATION),ByVal 0)

If Status<>0 Then Function=Status:Exit Function

ObjectName.Buffer+=8

ObjectName.Length-=8

ObjectName.MaximumLength=ObjectName.Length

If Len(CommandLine)=0 Then

Status=RtlCreateProcessParameters(ProcessParameters,VarPtr(ObjectName),0,0,0,0,0,0,0,0)

If Status<>0 Then Function=Status:Exit Function

Else

CmdLineDes.Length=Len(CommandLine)*2

CmdLineDes.MaximumLength=Len(CommandLine)*2

CommandLine=UCode$(CommandLine)

CmdLineDes.Buffer=StrPtr(CommandLine)

Status=RtlCreateProcessParameters(ProcessParameters,VarPtr(ObjectName),0,0,ByVal VarPtr(CmdLineDes),0,0,0,0,0)

If Status<>0 Then Function=Status:Exit Function

End If

!mov eax,fs:[48]

!mov eax,[eax+16]

!mov eax,[eax+72]

!mov Environment,eax

!mov Position,eax

Do While @Position<>0 Or @Position[1]<>0

Incr Position

Loop

RegionSize=Position-Environment

@ProcessParameters.Environment=0

Status=NtAllocateVirtualMemory(ProcessHandle,@ProcessParameters.Environment,0,RegionSize,&H03000,4)

If Status<>0 Then Function=Status:Exit Function

Status=NtWriteVirtualMemory(ProcessHandle,@ProcessParameters.Environment,Environment,Position-Environment,ByVal 0)

If Status<>0 Then Function=Status:Exit Function

BaseAddress=0

RegionSize=@ProcessParameters.TheSize

Status=NtAllocateVirtualMemory(ProcessHandle,BaseAddress,0,RegionSize,&H03000,4)

If Status<>0 Then Function=Status:Exit Function

Status=NtWriteVirtualMemory(ProcessHandle,BaseAddress,ProcessParameters,@ProcessParameters.TheSize,ByVal 0)

If Status<>0 Then Function=Status:Exit Function

Status=NtWriteVirtualMemory(ProcessHandle,pbi.PebBaseAddress+16,VarPtr(BaseAddress),4,ByVal 0)

If Status<>0 Then Function=Status:Exit Function

RegionSize=sii.StackReserved

Status=NtAllocateVirtualMemory(ProcessHandle,UserStack.ExpandableStackBottom,0,RegionSize,&H02000,4)

If Status<>0 Then Function=Status:Exit Function

UserStack.ExpandableStackBase=UserStack.ExpandableStackBottom+sii.StackReserved

UserStack.ExpandableStackLimit=UserStack.ExpandableStackBase-sii.StackCommit

RegionSize=sii.StackCommit+4096

If RegionSize>sii.StackReserved Then RegionSize=sii.StackReserved

BaseAddress=UserStack.ExpandableStackBase-RegionSize

Status=NtAllocateVirtualMemory(ProcessHandle,BaseAddress,0,RegionSize,&H01000,4)

If Status<>0 Then Function=Status:Exit Function

If RegionSize<sii.StackReserved Then

ProtectSize=4096

Status=NtProtectVirtualMemory(ProcessHandle,BaseAddress,ProtectSize,4 Or &H0100,OldProtect)

End If

'If Status<>0 Then Function=Status:Exit Function

ThreadContext.ContextFlags=&H010007

ThreadContext.regGs=0

!xor eax,eax

!mov ax,fs

!mov r,eax

ThreadContext.regFs=r

!mov ax,es

!mov r,eax

ThreadContext.regEs=r

!mov ax,ds

!mov r,eax

ThreadContext.regDs=r

!mov ax,ss

!mov r,eax

ThreadContext.regSs=r

!mov ax,cs

!mov r,eax

ThreadContext.regCs=r

!pushfd

!pop r

ThreadContext.regFlag = r

ThreadContext.regEsp = UserStack.ExpandableStackBase-4

ThreadContext.regEip = sii.EntryPoint

Status=NtCreateThread(ThreadHandle,2032639,ObjectAttributes,ProcessHandle,ClientId,ThreadContext,UserStack,1)

If Status<>0 Then Function=Status:Exit Function

If sii.ImageSubsystem=2 Or sii.ImageSubsystem=3 Then

ApiMessage.CsrssMessage.ApiNumber=&H010000

ApiMessage.CreateProcess.ProcessHandle=ProcessHandle

ApiMessage.CreateProcess.ThreadHandle=ThreadHandle

ApiMessage.CreateProcess.ProcessId=ClientId.ProcessId

ApiMessage.CreateProcess.ThreadId=ClientId.ThreadId

Status=CsrClientCallServer(ApiMessage,ByVal 0,&H010000,Len(CSR_API_MESSAGE))

End If

NtResumeThread ThreadHandle,ByVal 0

If Wait Then

NtWaitForSingleObject ProcessHandle,0,ByVal 0

NtQueryInformationProcess ProcessHandle,0,pbi,Len(PROCESS_BASIC_INFORMATION),ByVal 0

Status=pbi.ExitStatus

End If

RtlDestroyProcessParameters ProcessParameters

NtClose InheritedProcess

NtClose FileHandle

NtClose SectionHandle

NtClose ThreadHandle

NtClose ProcessHandle

Function=Status

End Function

RLib 2012-02-01

打赏
举报

BaseCreateStack中BaseStaticServerData = BASE_SHARED_SERVER_DATA;这句未定义,行为不明

Lactoferrin 2012-02-01

打赏
举报

这些东西不同的版本接口可能有变化

Lactoferrin 2012-02-01

打赏
举报

yes

RLib 2012-02-01

打赏
举报

好,追加到200分

RLib 2012-02-01

打赏
举报

[Quote=引用 13 楼 lactoferrin 的回复:]

base开头的基本都没导出
xpsp3导出这些

BaseCheckAppcompatCache
BaseCleanupAppcompatCache
BaseCleanupAppcompatCacheSupport
BaseDumpAppcompatCache
BaseFlushAppcompatCache
BaseInitAppcompatCache
BaseInitAppc……
[/Quote]

不导出的话不是个个都要自己实现?

Lactoferrin 2012-02-01

打赏
举报

这些不同的版本可能有变化，缺的参数一般都是0
你可以直接给ObjectAttributes赋值

RLib 2012-02-01

打赏
举报

还有下面这个对不对的?
POBJECT_ATTRIBUTES BaseFormatObjectAttributes(OUT POBJECT_ATTRIBUTES ObjectAttributes,IN PUNICODE_STRING ObjectName)

但是pObja = BaseFormatObjectAttributes(&Obja, lpThreadAttributes, NULL);却有3个参数

Lactoferrin 2012-02-01

打赏
举报

base开头的基本都没导出
xpsp3导出这些

BaseCheckAppcompatCache
BaseCleanupAppcompatCache
BaseCleanupAppcompatCacheSupport
BaseDumpAppcompatCache
BaseFlushAppcompatCache
BaseInitAppcompatCache
BaseInitAppcompatCacheSupport
BasepCheckWinSaferRestrictions
BaseProcessInitPostImport
BaseQueryModuleData
BaseUpdateAppcompatCache

RLib 2012-02-01

打赏
举报

[Quote=引用 11 楼 lactoferrin 的回复:]

BaseFormatObjectAttributes很明了，就是对InitializeObjectAttributes的封装

NtCreateThread的用法见CreateRemoteThread的代码
[/Quote]

BaseGetNamedObjectDirectory有没有被导出?
那个LIB?

Lactoferrin 2012-02-01

打赏
举报

BaseFormatObjectAttributes很明了，就是对InitializeObjectAttributes的封装

NtCreateThread的用法见CreateRemoteThread的代码

RLib 2012-02-01

打赏
举报

[Quote=引用 9 楼 lactoferrin 的回复:]

typedef struct _INITIAL_TEB {
struct {
PVOID OldStackBase;
PVOID OldStackLimit;
} OldInitialTeb;
PVOID StackBase;
PVOID StackLimit;
PVOID StackAllocationBas……
[/Quote]

就知道你有这些东东....哈

加载更多回复（8）

mail.jar与activation.jar 希望对大家有帮组啊！

代码为博客实例代码：http://blog.csdn.net/lmj623565791/article/details/34120047 有问题博客中留言

数据结构考研如何120+？前几天收到私信问：0基础跨考，0基础跨考的话是不是需要先学c语言呢，等过完一遍C语言再看数据结构。我觉得这个问题还蛮典型的，就想更在文里一起说一下了。我的建议是，数据结构和C语言一起看，一起复习。不要等着把C全部看完再说复习数据结构，我担心很多跨考的同学都是学完c就已经要弃坑了，第一是时间来不及，第二可能是觉得c太难。如果是为了考研数据结构学C语言，实际上更好的办法是在看完C语言的运算符、表达式和语句之后，就可以着手复习数据结构。在看数据结构书的时候，去理解每段代码的意思，当你