假设我有以下代码可以获取进程的句柄:
pid = 1234
procHandle = win32api.OpenProcess(win32con.MAXIMUM_ALLOWED,pywintypes.FALSE,pid)我将如何列出并获取其线程的句柄?
回答1
据我所知,不存在枚举进程中的线程的公共 api。但存在 NtQuerySystemInformation 和 SystemProcessInformation 或 SystemExtendedProcessInformation - 它返回系统中所有进程和线程的列表。通过使用它,您可以通过 id 找到进程中的所有线程,不需要打开进程
NTSTATUS DumpProcessThreads(_Out_ ULONG_PTR dwProcessId)
{
NTSTATUS status;
ULONG cb = 0x10000;
do
{
status = STATUS_NO_MEMORY;
if (PVOID buf = LocalAlloc(0, cb + 0x1000))
{
if (0 <= (status = NtQuerySystemInformation(SystemExtendedProcessInformation, buf, cb, &cb)))
{
status = STATUS_INVALID_CID;
union {
PVOID pv;
PBYTE pb;
PSYSTEM_PROCESS_INFORMATION pspi;
};
pv = buf;
ULONG NextEntryOffset = 0;
do
{
pb += NextEntryOffset;
if (pspi->UniqueProcessId == (HANDLE)dwProcessId)
{
status = STATUS_SUCCESS;
if (ULONG NumberOfThreads = pspi->NumberOfThreads)
{
PSYSTEM_EXTENDED_THREAD_INFORMATION TH = pspi->TH;
do
{
DbgPrint("%p: %p(%p) [%p]\n",
TH->ClientId.UniqueThread,
TH->StartAddress,
TH->Win32StartAddress,
TH->TebAddress);
} while (TH++, --NumberOfThreads);
}
break;
}
} while (NextEntryOffset = pspi->NextEntryOffset);
}
LocalFree(buf);
}
} while (status == STATUS_INFO_LENGTH_MISMATCH);
return status;
}