📄 thrdinfo.c
字号:
#define _X86_
#include "ntddk.h"
#include <stdio.h>
#include <stdlib.h>
#include "undocnt.h"
HANDLE ghThread;
void InfoThreadBasicInformation()
{
/* No set method for this information class */
NTSTATUS rc;
THREAD_BASIC_INFORMATION ThreadBasicInfoBuffer;
rc=NtQueryInformationThread(ghThread,
ThreadBasicInformation,
&ThreadBasicInfoBuffer,
sizeof(ThreadBasicInfoBuffer),
NULL);
if (rc==STATUS_SUCCESS) {
printf("ThreadBasicInfoBuffer.ExitStatus = %x\n", ThreadBasicInfoBuffer.ExitStatus);
printf("ThreadBasicInfoBuffer.TebBaseAddress = %x\n", ThreadBasicInfoBuffer.TebBaseAddress);
printf("ThreadBasicInfoBuffer.UniqueProcessId = %x\n", ThreadBasicInfoBuffer.UniqueProcessId);
printf("ThreadBasicInfoBuffer.UniqueThreadId = %x\n", ThreadBasicInfoBuffer.UniqueThreadId);
printf("ThreadBasicInfoBuffer.AffinityMask = %x\n", ThreadBasicInfoBuffer.AffinityMask);
printf("ThreadBasicInfoBuffer.BasePriority = %x\n", ThreadBasicInfoBuffer.BasePriority);
printf("ThreadBasicInfoBuffer.DiffProcessPriority = %x\n", ThreadBasicInfoBuffer.DiffProcessPriority);
} else {
printf("NtQueryInformationThread failed with infoclass 'ThreadBasicInformation', rc=%x\n", rc);
}
printf("\n");
}
void InfoThreadTimes()
{
/* No set method for this information class */
NTSTATUS rc;
KERNEL_USER_TIMES KernelUserTimesInfo;
LARGE_INTEGER LocalTime;
rc=NtQueryInformationThread(ghThread,
ThreadTimes,
&KernelUserTimesInfo,
sizeof(KernelUserTimesInfo),
NULL);
if (rc==STATUS_SUCCESS) {
TIME_FIELDS TimeFields;
printf("KernelUserTimesInfo.CreateTime = %I64x ", KernelUserTimesInfo.CreateTime.QuadPart);
RtlSystemTimeToLocalTime(&KernelUserTimesInfo.CreateTime, &LocalTime);
RtlTimeToTimeFields(&LocalTime, &TimeFields);
printf("%02d-%02d-%04d, %02d-%02d-%02d\n", TimeFields.Day, TimeFields.Month, TimeFields.Year,
TimeFields.Hour, TimeFields.Minute, TimeFields.Second);
printf("KernelUserTimesInfo.ExitTime = %I64x\n", KernelUserTimesInfo.ExitTime.QuadPart);
printf("KernelUserTimesInfo.KernelTime = %I64x\n", KernelUserTimesInfo.KernelTime.QuadPart);
printf("KernelUserTimesInfo.UserTime = %I64x\n", KernelUserTimesInfo.UserTime.QuadPart);
} else {
printf("NtQueryInformationThread failed with infoclass 'ThreadTimes', rc=%x\n", rc);
}
printf("\n");
}
void InfoThreadPriority()
{
/* No get method for this information class */
THREAD_PRIORITY ThreadPriorityBuffer;
NTSTATUS rc;
ThreadPriorityBuffer.Priority=LOW_REALTIME_PRIORITY;
rc=NtSetInformationThread(ghThread,
ThreadPriority,
&ThreadPriorityBuffer,
sizeof(ThreadPriorityBuffer));
if (rc==STATUS_SUCCESS) {
printf("Thread priority set to LOW_REALTIME_PRIORITY\n");
} else {
printf("NtQueryInformationThread failed with infoclass 'ThreadPriority', rc=%x\n", rc);
}
}
void InfoThreadBasePriority()
{
/* No get method for this information class */
THREAD_BASE_PRIORITY ThreadBasePriorityBuffer;
NTSTATUS rc;
ThreadBasePriorityBuffer.IncBasePriority=1;
rc=NtSetInformationThread(ghThread,
ThreadBasePriority,
&ThreadBasePriorityBuffer,
sizeof(ThreadBasePriorityBuffer));
if (rc==STATUS_SUCCESS) {
printf("Thread base priority incremented by 1\n");
} else {
printf("NtQueryInformationThread failed with infoclass 'ThreadBasePriority', rc=%x\n", rc);
}
}
void InfoThreadAffinityMask()
{
/* No get method for this information class*/
NTSTATUS rc;
THREADAFFINITYMASKINFO ThreadAffinityMaskInfo;
ThreadAffinityMaskInfo.ThreadAffinityMask=0x01;
rc=NtSetInformationThread(ghThread,
ThreadAffinityMask,
&ThreadAffinityMaskInfo,
sizeof(ThreadAffinityMaskInfo));
if (rc==STATUS_SUCCESS) {
printf("AffinityMask set for the Thread\n");
} else {
printf("NtSetInformationThread failed with infoclass 'ThreadAffinityMask', rc=%x\n", rc);
}
}
void InfoThreadImpersonationToken()
{
/* No get method for this information class*/
NTSTATUS rc;
HANDLE hToken, hImpersonationToken;
rc=NtOpenProcessToken(NtCurrentProcess(),
MAXIMUM_ALLOWED,
&hToken);
if (rc!=STATUS_SUCCESS) {
printf("Unable to open process token, rc=%x\n", rc);
return;
}
rc=NtDuplicateToken(hToken,
MAXIMUM_ALLOWED,
NULL,
FALSE,
TokenImpersonation,
&hImpersonationToken);
if (rc!=STATUS_SUCCESS) {
printf("Unable to duplicate process token, rc=%x\n", rc);
return;
}
rc=NtSetInformationThread(ghThread,
ThreadImpersonationToken,
&hImpersonationToken,
sizeof(hImpersonationToken));
if (rc==STATUS_SUCCESS) {
printf("ImpersonationToken set for the Thread\n");
} else {
printf("NtSetInformationThread failed with infoclass 'ThreadImpersonationToken', rc=%x\n", rc);
return;
}
NtClose(hImpersonationToken);
/* Now reverting back to original token */
hImpersonationToken=NULL;
rc=NtSetInformationThread(ghThread,
ThreadImpersonationToken,
&hImpersonationToken,
sizeof(hImpersonationToken));
if (rc==STATUS_SUCCESS) {
printf("ImpersonationToken reverted to self\n");
} else {
printf("NtSetInformationThread failed with infoclass 'ThreadImpersonationToken', rc=%x\n", rc);
return;
}
}
void InfoThreadDescriptorTableEntry()
{
/* No set method for this information class*/
DESCRIPTOR_TABLE_ENTRY DescriptorTableEntryBuffer;
int rc;
memset(&DescriptorTableEntryBuffer, 0, sizeof(DescriptorTableEntryBuffer));
DescriptorTableEntryBuffer.Selector=0x8;
rc=NtQueryInformationThread(ghThread,
ThreadDescriptorTableEntry,
&DescriptorTableEntryBuffer,
sizeof(DescriptorTableEntryBuffer),
NULL);
if (rc==STATUS_SUCCESS) {
ULONG Base, Limit;
Base=((ULONG)DescriptorTableEntryBuffer.Descriptor.HighWord.Bits.BaseHi)<<24;
Base|=((ULONG)DescriptorTableEntryBuffer.Descriptor.HighWord.Bits.BaseMid)<<16;
Base|=((ULONG)DescriptorTableEntryBuffer.Descriptor.BaseLow);
Limit=((ULONG)DescriptorTableEntryBuffer.Descriptor.HighWord.Bits.LimitHi)<<16;
Limit|=((ULONG)DescriptorTableEntryBuffer.Descriptor.LimitLow);
printf("DescriptorTableEntryBuffer.Selector = %x\n", DescriptorTableEntryBuffer.Selector);
printf("DescriptorTableEntryBuffer.Descriptor.Base = %x\n", Base);
printf("DescriptorTableEntryBuffer.Descriptor.Limit = %x\n", Limit);
} else {
printf("NtQueryInformationThread failed with infoclass 'ThreadDescriptorTableEntry', rc=%x\n", rc);
}
}
void InfoAllignmentFaultFixup()
{
/* No get method for this information class */
/* Does not seem to have any effect on X86 processors */
NTSTATUS rc;
ALLIGNMENTFAULTFIXUPINFO AllignmentFaultFixupInfo;
AllignmentFaultFixupInfo.bEnableAllignmentFaultFixup=TRUE;
rc=NtSetInformationThread(ghThread,
ThreadEnableAlignmentFaultFixup,
&AllignmentFaultFixupInfo,
sizeof(AllignmentFaultFixupInfo));
if (rc==STATUS_SUCCESS) {
printf("AlignmentFaultfixup enabled\n");
} else {
printf("NtSetInformationThread failed with infoclass 'ThreadEnableAlignmentFaultFixup', rc=%x\n", rc);
}
}
void InfoThreadEventPair()
{
/* No get method for this information class */
HANDLE hEventPair=NULL;
NTSTATUS rc;
OBJECT_ATTRIBUTES ObjectAttr;
UNICODE_STRING EventPairName;
#define EVENTPAIRNAME L"\\MyEventPair"
EVENTPAIRINFO EventPairInfoBuffer;
RtlInitUnicodeString(&EventPairName, EVENTPAIRNAME);
InitializeObjectAttributes(&ObjectAttr,
&EventPairName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
rc=NtCreateEventPair(&hEventPair,
STANDARD_RIGHTS_ALL,
&ObjectAttr);
if (rc!=STATUS_SUCCESS) {
printf("Unable to create event pair, rc=%x\n", rc);
return;
}
EventPairInfoBuffer.hEventPair=hEventPair;
rc=NtSetInformationThread(ghThread,
ThreadEventPair,
&EventPairInfoBuffer,
sizeof(EventPairInfoBuffer));
if (rc==STATUS_SUCCESS) {
printf("EventPair for the thread set\n");
} else {
printf("NtSetInformationThread failed with infoclass 'ThreadEventPair', rc=%x\n", rc);
}
}
void NewWin32StartAddress()
{
}
void InfoWin32StartAddress()
{
WIN32_START_ADDRESS Win32StartAddressBuffer;
NTSTATUS rc;
rc=NtQueryInformationThread(ghThread,
ThreadQuerySetWin32StartAddress,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -