标签:capture 无法 gcs 实时 解决 float 方式 active his
//挂起线程: ::SuspendThread(hThread); //恢复线程: ::ResumeThread(hThread); //终止线程: //方式一: ::ExitThread(DWORD dwExitCode); //参数中没有线程句柄,在线程函数中使用; //参数dwExitCode为线程退出码,将作为线程处理函数的返回值,用来描述线程的非正常退出 //每一个线程都有自己的堆栈,该函数终止的线程会清理堆栈; //该函数一旦调用,线程将不能再被操作,但该函数并不会释放堆中的内存,因此存在内存溢出的隐患; //方式二:线程函数返回 //线程函数执行完后会结束线程,因为是正常结束,可以自己写代码来释放堆中申请的内存; //方式三: ::TerminateThread(hThread,2); //第二个参数为线程退出码 ::WaitForSingleObject(hThread,INFINITE); //TerminateThread并不会清理堆栈,这样的好处是其它地方用堆栈中的变量时不会出问题; //判断线程是否结束 BOOL GetExitCodeThread( HANDLE hThread, LPDWORD lpExitCode ); //STILL_ACTIVE //正在运行 //参数: //hThread: 要结束的线程句柄 //dwExitCode: 指定线程的退出代码。可以通过GetExitCodeThread来查看一个线程的退出代码
typedef struct _CONTEXT { // // The flags values within this flag control the contents of // a CONTEXT record. // // If the context record is used as an input parameter, then // for each portion of the context record controlled by a flag // whose value is set, it is assumed that that portion of the // context record contains valid context. If the context record // is being used to modify a threads context, then only that // portion of the threads context will be modified. // // If the context record is used as an IN OUT parameter to capture // the context of a thread, then only those portions of the thread‘s // context corresponding to set flags will be returned. // // The context record is never used as an OUT only parameter. // DWORD ContextFlags; // // This section is specified/returned if CONTEXT_DEBUG_REGISTERS is // set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT // included in CONTEXT_FULL. // DWORD Dr0; DWORD Dr1; DWORD Dr2; DWORD Dr3; DWORD Dr6; DWORD Dr7; // // This section is specified/returned if the // ContextFlags word contians the flag CONTEXT_FLOATING_POINT. // FLOATING_SAVE_AREA FloatSave; // // This section is specified/returned if the // ContextFlags word contians the flag CONTEXT_SEGMENTS. // DWORD SegGs; DWORD SegFs; DWORD SegEs; DWORD SegDs; // // This section is specified/returned if the // ContextFlags word contians the flag CONTEXT_INTEGER. // DWORD Edi; DWORD Esi; DWORD Ebx; DWORD Edx; DWORD Ecx; DWORD Eax; // // This section is specified/returned if the // ContextFlags word contians the flag CONTEXT_CONTROL. // DWORD Ebp; DWORD Eip; DWORD SegCs; // MUST BE SANITIZED DWORD EFlags; // MUST BE SANITIZED DWORD Esp; DWORD SegSs; // // This section is specified/returned if the ContextFlags word // contains the flag CONTEXT_EXTENDED_REGISTERS. // The format and contexts are processor specific // BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION]; } CONTEXT; 进程就是程序的4GB空间,线程就是EIP; 当一个线程切换时,为了再次执行时能接着执行,会将寄存器的信息保存context结构中; 如何获取context结构中的值: 例如:获取context中的eip //挂起线程;不挂起获取的值不准确 SuspendThread(线程句柄); CONTEXT context; //设置要获取的类型 context.ContextFlags = CONTEXT_CONTROL; //获取 BOOL ok = ::GetThreadContext(hThread,&context); //设置 context.Eip = 0x401000; SetThreadContext(hThread,&context);
标签:capture 无法 gcs 实时 解决 float 方式 active his
原文地址:https://www.cnblogs.com/ShiningArmor/p/12101363.html
