滴水 2.23 win32 进程 线程 线程结构

一个程序 在硬盘中存储着 就是一堆数据 在内存中加载后 便是进程 进程拥有四GB 然后会有一个线程执行工作
3环 应用层
0环 操作系统

点击查看代码
#include<stdio.h>
#include<Windows.h>
DWORD WINAPI ThreadProc(
	LPVOID lpParameter   // thread data					
)
{
	int M = 0;
	while (M < 10)
	{
		printf("天");
		M++;
	}
	return 0;
}
int main()
{
	//创建一个新的线程							
	HANDLE hThread = ::CreateThread(NULL, 0, ThreadProc,
		NULL, 0, NULL);

	//如果不在其他的地方引用它 关闭句柄							
	::CloseHandle(hThread);
	int i = 0;
	while (i < 10)
	{
		printf("我");
		i++;
	}

	return 0;
}
向线程存值 直接传值 或者全局变量//线程参数
点击查看代码
// IconDemo.cpp : Defines the entry point for the application.
//

#include "stdafx.h"
#include "resource.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <string>
#include <tchar.h>
#include "DA.h"

HANDLE hThread;
HWND UIN;
DWORD WINAPI ThreadProc(				
		     LPVOID lpParameter   // thread data		
		     )	
{

TCHAR AT[10];
memset(AT,0,10);
GetWindowText(UIN,AT,10);
//获取文本框内容
	int p;
	sscanf(AT,"%d",&p);
	p--;
//运算完毕

	
		
		
///转字符

memset(AT,0,10);
sprintf( AT, "%d", p);
SetWindowText(UIN,AT);

	return 0;
}

void tset()
{

 hThread = ::CreateThread(NULL, 0, ThreadProc, 				
		NULL, 0, NULL);			
					
	//如果不在其他的地方引用它 关闭句柄				
	
}

HINSTANCE hAppInstance;
//提权
//提升程序的权限


BOOL CALLBACK MainDlgProc(HWND hDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
	BOOL bRet = TRUE;
	HICON hIconSmall;
	HICON hIconBig;
	switch(uMsg)
	{
	case WM_INITDIALOG :
		{
			 UIN=	GetDlgItem(hDlg,IDC_EDIT1);		
	
			SetWindowText(UIN,"1000");	
		
          return 0 ;
		}
	case WM_COMMAND:
		switch(LOWORD(wParam))
		{
		case IDC_BUTTON_OUT:
			{
			EndDialog(hDlg,0);
			break;
			}

		case IDC_BUTTON1_about:

			{
						
			tset();




break;
			}
		default:
			bRet = FALSE;
			break;
		}
		
		
		
		
		
		
		
		break;
	
	default:
			bRet = FALSE;
			break;
	}
	
	return bRet;
}


int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{
 	// TODO: Place code here.
	hAppInstance = hInstance;

	DialogBox(hInstance,MAKEINTRESOURCE(IDD_DIALOG_MAIN),NULL,MainDlgProc);

	return 0;
}


线程句柄 窗口句柄 操作系统给的 这些都是内核创建 使我们可以控制0环程序
冒号: 全局作业域
::CloseHandle(hThread);
不代表线程挂了 代表编号没了‘


文本框赋值: SetWindowText(句柄,数据缓存区);
文本框取值:		
GetWindowText(句柄,数据缓冲区,长度);		
		
数字转字符:		
sprintf(数据缓冲区,"%d",数字);		
		
字符转数字:		
sscanf( szBuffer, "%d", &dwTimer );		
		
获取子窗口:		
GetDlgItem(hDlg,IDC_EDIT_TIMER);		

线程控制 线程结构 多线程

挂起线程
::SuspendThread(hThread);
恢复线程
::ResumeThread(hThread);

CreateThread---参数
DWORD dwCreationFlags, // 0 创建完毕立即调度 CREATE_SUSPENDED创建后挂起
也不是立刻调度 还是需要CPU为他分配内存

终止线程
1.::ExitThread(DWORD dwExitCode);
会清除堆栈 --
2.自然死亡
线程函数返回
if(i==3)
{
退出;
}
3.方式三
::TerminateThread(hThread,2);
::WaitForSingleObject(hThread,INFINITE);
不会清除堆栈,但是是异步调用 可能有BUG

CONTEXT:结构
当一个程序有很多线程的时候 CPU给每个线程都分配了运行时间
例如 线程1 -》线程2-》-》线程1
必须有一个结构保存了线程1的寄存器的值
image

查看 结构
					
	CONTEXT:				
					
	该结构包含了特定处理器的寄存器数据。				
					
					
	typedef struct _CONTEXT {				
					
	    //				
	    // The flags values within this flag control the contents of				
	    // a CONTEXT record.				
	    //				
	    // If the context record is used as an input parameter, then				
	    // for each portion of the context record controlled by a flag				
	    // whose value is set, it is assumed that that portion of the				
	    // context record contains valid context. If the context record				
	    // is being used to modify a threads context, then only that				
	    // portion of the threads context will be modified.				
	    //				
	    // If the context record is used as an IN OUT parameter to capture				
	    // the context of a thread, then only those portions of the thread's				
	    // context corresponding to set flags will be returned.				
	    //				
	    // The context record is never used as an OUT only parameter.				
	    //				
					
	    DWORD ContextFlags;				
					
	    //				
	    // This section is specified/returned if CONTEXT_DEBUG_REGISTERS is				
	    // set in ContextFlags.  Note that CONTEXT_DEBUG_REGISTERS is NOT				
	    // included in CONTEXT_FULL.				
	    //				
					
	    DWORD   Dr0;				
	    DWORD   Dr1;				
	    DWORD   Dr2;				
	    DWORD   Dr3;				
	    DWORD   Dr6;				
	    DWORD   Dr7;				
					
	    //				
	    // This section is specified/returned if the				
	    // ContextFlags word contians the flag CONTEXT_FLOATING_POINT.				
	    //				
					
	    FLOATING_SAVE_AREA FloatSave;				
					
	    //				
	    // This section is specified/returned if the				
	    // ContextFlags word contians the flag CONTEXT_SEGMENTS.				
	    //				
					
	    DWORD   SegGs;				
	    DWORD   SegFs;				
	    DWORD   SegEs;				
	    DWORD   SegDs;				
					
	    //				
	    // This section is specified/returned if the				
	    // ContextFlags word contians the flag CONTEXT_INTEGER.				
	    //				
					
	    DWORD   Edi;				
	    DWORD   Esi;				
	    DWORD   Ebx;				
	    DWORD   Edx;				
	    DWORD   Ecx;				
	    DWORD   Eax;				
					
	    //				
	    // This section is specified/returned if the				
	    // ContextFlags word contians the flag CONTEXT_CONTROL.				
	    //				
					
	    DWORD   Ebp;				
	    DWORD   Eip;				
	    DWORD   SegCs;              // MUST BE SANITIZED				
	    DWORD   EFlags;             // MUST BE SANITIZED				
	    DWORD   Esp;				
	    DWORD   SegSs;				
					
	    //				
	    // This section is specified/returned if the ContextFlags word				
	    // contains the flag CONTEXT_EXTENDED_REGISTERS.				
	    // The format and contexts are processor specific				
	    //				
					
	    BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];				
					
	} CONTEXT;				
					
					
	获取线程CONTEXT结构:				
					
	//挂起线程				
	SuspendThread(线程句柄);				
					
	CONTEXT context				
					
	//设置要获取的类型				
					
	context.ContextFlags = CONTEXT_CONTROL;				
					
	//获取				
					
	BOOL ok = ::GetThreadContext(hThread,&context);				
					
	//设置				
					
	context.Eip = 0x401000;		//修改下次执行的地址		
					
	SetThreadContext(hThread,&context);				
					
![image](https://img2023.cnblogs.com/blog/3001071/202302/3001071-20230224122406132-1628217277.png)

线程风险
点击查看代码
	代码:					
						
	这个代码有什么安全隐患?什么原因导致的?					
						
	#include<stdio.h>
#include<Windows.h>

int sum = 0;
DWORD WINAPI ThreadProc(
	LPVOID lpParameter   // thread data					
)
{
	int i = 0;
	while(i<100000)
	{
		sum++;
		i++;
		
	}
	

	return 0;
}

DWORD WINAPI ThreadProc2(
	LPVOID lpParameter   // thread data					
)
{
	int i = 0;
	while (i < 100000)
	{
		sum++;
		i++;


		}
		sum++;



	return 0;
}

int main()
{

	//创建一个新的线程							
	HANDLE hThread = ::CreateThread(NULL, 0, ThreadProc,
		NULL, 0, NULL);
	HANDLE pq = ::CreateThread(NULL, 0, ThreadProc2,
		NULL, 0, NULL);
	//如果不在其他的地方引用它 关闭句柄							
	
	

	while (1)
	{
		Sleep(500);
		printf("%d\n", sum);

	}

	return 0;
}

image

详解查看下一章

posted @ 2023-02-23 20:57  逆向狗  阅读(74)  评论(0)    收藏  举报