滴水 2.23 win32 进程 线程 线程结构
一个程序 在硬盘中存储着 就是一堆数据 在内存中加载后 便是进程 进程拥有四GB 然后会有一个线程执行工作
3环 应用层
0环 操作系统
点击查看代码
#include<stdio.h>
#include<Windows.h>
DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
int M = 0;
while (M < 10)
{
printf("天");
M++;
}
return 0;
}
int main()
{
//创建一个新的线程
HANDLE hThread = ::CreateThread(NULL, 0, ThreadProc,
NULL, 0, NULL);
//如果不在其他的地方引用它 关闭句柄
::CloseHandle(hThread);
int i = 0;
while (i < 10)
{
printf("我");
i++;
}
return 0;
}
点击查看代码
// IconDemo.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "resource.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <string>
#include <tchar.h>
#include "DA.h"
HANDLE hThread;
HWND UIN;
DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
TCHAR AT[10];
memset(AT,0,10);
GetWindowText(UIN,AT,10);
//获取文本框内容
int p;
sscanf(AT,"%d",&p);
p--;
//运算完毕
///转字符
memset(AT,0,10);
sprintf( AT, "%d", p);
SetWindowText(UIN,AT);
return 0;
}
void tset()
{
hThread = ::CreateThread(NULL, 0, ThreadProc,
NULL, 0, NULL);
//如果不在其他的地方引用它 关闭句柄
}
HINSTANCE hAppInstance;
//提权
//提升程序的权限
BOOL CALLBACK MainDlgProc(HWND hDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
BOOL bRet = TRUE;
HICON hIconSmall;
HICON hIconBig;
switch(uMsg)
{
case WM_INITDIALOG :
{
UIN= GetDlgItem(hDlg,IDC_EDIT1);
SetWindowText(UIN,"1000");
return 0 ;
}
case WM_COMMAND:
switch(LOWORD(wParam))
{
case IDC_BUTTON_OUT:
{
EndDialog(hDlg,0);
break;
}
case IDC_BUTTON1_about:
{
tset();
break;
}
default:
bRet = FALSE;
break;
}
break;
default:
bRet = FALSE;
break;
}
return bRet;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
hAppInstance = hInstance;
DialogBox(hInstance,MAKEINTRESOURCE(IDD_DIALOG_MAIN),NULL,MainDlgProc);
return 0;
}
线程句柄 窗口句柄 操作系统给的 这些都是内核创建 使我们可以控制0环程序
冒号: 全局作业域
::CloseHandle(hThread);
不代表线程挂了 代表编号没了‘
文本框取值:
GetWindowText(句柄,数据缓冲区,长度);
数字转字符:
sprintf(数据缓冲区,"%d",数字);
字符转数字:
sscanf( szBuffer, "%d", &dwTimer );
获取子窗口:
GetDlgItem(hDlg,IDC_EDIT_TIMER);
线程控制 线程结构 多线程
挂起线程
::SuspendThread(hThread);
恢复线程
::ResumeThread(hThread);
CreateThread---参数
DWORD dwCreationFlags, // 0 创建完毕立即调度 CREATE_SUSPENDED创建后挂起
也不是立刻调度 还是需要CPU为他分配内存
终止线程
1.::ExitThread(DWORD dwExitCode);
会清除堆栈 --
2.自然死亡
线程函数返回
if(i==3)
{
退出;
}
3.方式三
::TerminateThread(hThread,2);
::WaitForSingleObject(hThread,INFINITE);
不会清除堆栈,但是是异步调用 可能有BUG
CONTEXT:结构
当一个程序有很多线程的时候 CPU给每个线程都分配了运行时间
例如 线程1 -》线程2-》-》线程1
必须有一个结构保存了线程1的寄存器的值
查看 结构
CONTEXT:
该结构包含了特定处理器的寄存器数据。
typedef struct _CONTEXT {
//
// The flags values within this flag control the contents of
// a CONTEXT record.
//
// If the context record is used as an input parameter, then
// for each portion of the context record controlled by a flag
// whose value is set, it is assumed that that portion of the
// context record contains valid context. If the context record
// is being used to modify a threads context, then only that
// portion of the threads context will be modified.
//
// If the context record is used as an IN OUT parameter to capture
// the context of a thread, then only those portions of the thread's
// context corresponding to set flags will be returned.
//
// The context record is never used as an OUT only parameter.
//
DWORD ContextFlags;
//
// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
// included in CONTEXT_FULL.
//
DWORD Dr0;
DWORD Dr1;
DWORD Dr2;
DWORD Dr3;
DWORD Dr6;
DWORD Dr7;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
//
FLOATING_SAVE_AREA FloatSave;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_SEGMENTS.
//
DWORD SegGs;
DWORD SegFs;
DWORD SegEs;
DWORD SegDs;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_INTEGER.
//
DWORD Edi;
DWORD Esi;
DWORD Ebx;
DWORD Edx;
DWORD Ecx;
DWORD Eax;
//
// This section is specified/returned if the
// ContextFlags word contians the flag CONTEXT_CONTROL.
//
DWORD Ebp;
DWORD Eip;
DWORD SegCs; // MUST BE SANITIZED
DWORD EFlags; // MUST BE SANITIZED
DWORD Esp;
DWORD SegSs;
//
// This section is specified/returned if the ContextFlags word
// contains the flag CONTEXT_EXTENDED_REGISTERS.
// The format and contexts are processor specific
//
BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
} CONTEXT;
获取线程CONTEXT结构:
//挂起线程
SuspendThread(线程句柄);
CONTEXT context
//设置要获取的类型
context.ContextFlags = CONTEXT_CONTROL;
//获取
BOOL ok = ::GetThreadContext(hThread,&context);
//设置
context.Eip = 0x401000; //修改下次执行的地址
SetThreadContext(hThread,&context);

点击查看代码
代码:
这个代码有什么安全隐患?什么原因导致的?
#include<stdio.h>
#include<Windows.h>
int sum = 0;
DWORD WINAPI ThreadProc(
LPVOID lpParameter // thread data
)
{
int i = 0;
while(i<100000)
{
sum++;
i++;
}
return 0;
}
DWORD WINAPI ThreadProc2(
LPVOID lpParameter // thread data
)
{
int i = 0;
while (i < 100000)
{
sum++;
i++;
}
sum++;
return 0;
}
int main()
{
//创建一个新的线程
HANDLE hThread = ::CreateThread(NULL, 0, ThreadProc,
NULL, 0, NULL);
HANDLE pq = ::CreateThread(NULL, 0, ThreadProc2,
NULL, 0, NULL);
//如果不在其他的地方引用它 关闭句柄
while (1)
{
Sleep(500);
printf("%d\n", sum);
}
return 0;
}
详解查看下一章
本文来自博客园,作者:逆向狗,转载请注明原文链接:https://www.cnblogs.com/Agtw/p/17149410.html