通过线程ID获得线程的模块名和线程起始地址,该如何做?

  通过线程ID,获得这个线程的模块名,这个线程的起始地址,
 不知道该怎么做,,希望高手多多指教!

解决方案 »

  1.   

     举个例子最好哈,要delphi代码更好了~~
      

  2.   

    僵哥(不需要告诉别人你是否初学,求怜不如思进取)   我已经在网上找到了所想要的, 连接 : http://www.jm-m.cn/html/366.html 但是只段代码是C的,我翻译过来还是很多错,所以才提了这个贴.. 线程或许和dll无关系,,但是dll都和线程有关系~ 我想得到线程的启始位置,得不得到相关模块名不重要....  还请各位大侠帮帮忙~!
      

  3.   

    听说过读取进程的基地址,听说过读取模块的基地址,但是从来没有听说过可以读取线程的基地址.如果是想得到模块的基地址,可以uses psapi,然后调用EnumProcessModules.
      

  4.   

      C那个代码确实实现了我想做的...我想要个delphi版的..
     不是进程基地址,也不是模块基地址,我想要线程起始地址...
      

  5.   

    线程起始地址就是那个函数、过程的入口地址,用@func就得到它的指针,指针就是地址
      

  6.   

    CreateThread的第三个参数
    不过我应该误解你的意思了,,刚才查来查去,有个未公开的函数ZwQueryInformationThread,不知道怎么用
      

  7.   

    ZwQueryInformationThread 我查两天了 哈哈! 正准备开个贴单问ZwQueryInformationThread~~~我用这函数返回的值,一直都是0,头都大了!
      

  8.   

    uses
      PSAPI,Tlhelp32;
    type
      _THREADINFOCLASS   = (
              ThreadBasicInformation,   
              ThreadTimes,   
              ThreadPriority,   
              ThreadBasePriority,   
              ThreadAffinityMask,   
              ThreadImpersonationToken,
              ThreadDescriptorTableEntry,   
              ThreadEnableAlignmentFaultFixup,   
              ThreadEventPair_Reusable,   
              ThreadQuerySetWin32StartAddress,   
              ThreadZeroTlsCell,   
              ThreadPerformanceCount,   
              ThreadAmILastThread,   
              ThreadIdealProcessor,   
              ThreadPriorityBoost,   
              ThreadSetTlsArrayAddress,   
              ThreadIsIoPending,   
              ThreadHideFromDebugger,   
              ThreadBreakOnTermination,   
              MaxThreadInfoClass   
              );
      THREADINFOCLASS = _THREADINFOCLASS;  _CLIENT_ID = record
        UniqueProcess:THANDLE;
        UniqueThread:THANDLE;
      end;
      CLIENT_ID = _CLIENT_ID;
      PCLIENT_ID = ^CLIENT_ID;
        
      _THREAD_BASIC_INFORMATION = record     //   Information   Class   0
              ExitStatus: LONGINT;
              TebBaseAddress:Pointer;
              ClientId:CLIENT_ID;
              AffinityMask:LONGINT;
              Priority:LONGINT;
              BasePriority:LONGInt;
      end;
      THREAD_BASIC_INFORMATION = _THREAD_BASIC_INFORMATION;
      PTHREAD_BASIC_INFORMATION = ^_THREAD_BASIC_INFORMATION;  TZwQueryInformationThread = function   (
              ThreadHandle: THANDLE;
              ThreadInformationClass:THREADINFOCLASS;
              ThreadInformation:Pointer;
              ThreadInformationLength:LongWord;
              ReturnLength:PULONG
              ) : LongInt;stdcall;TRtlNtStatusToDosError = function (status: LongWord):LongInt;
     
    function OpenThread(
      dwDesiredAccess:DWORD;
      bInheritHandle:BOOL;
      dwThreadId:DWORD
    ):Thandle;stdcall; external kernel32 name 'OpenThread';
     var
      ZwQueryInformationThread:TZwQueryInformationThread = Nil;
      RtlNtStatusToDosError:TRtlNtStatusToDosError = Nil;function ShowThreadInfo(dwThreadID:DWORD;Memo: TStrings):LongBool;
    var
      tbi:THREAD_BASIC_INFORMATION;
      startaddr:Pointer;
      status: LongInt;
      thread,process: THandle;
      error: DWORD;
      modname: String;
    begin
      Result := false;
      thread := OpenThread($1fffff(*THREAD_ALL_ACCESS*),   FALSE,   dwThreadID);
      if Thread = 0 then Exit;  status := ZwQueryInformationThread(thread,
                              ThreadQuerySetWin32StartAddress,     
                              @startaddr,
                              sizeof(startaddr),
                              NIL);
        
      if status < 0 then
        begin
          CloseHandle(thread);
          SetLastError(RtlNtStatusToDosError(status));
          Exit;
        end;
        
      Memo.Add(Format('线程 %08x 的起始地址为 %p',[dwThreadID,startaddr]));
        
      status := ZwQueryInformationThread(thread,
                              ThreadBasicInformation,     
                              @tbi,
                              sizeof(tbi),
                              NIL);
        
      if status < 0 then
        begin
          CloseHandle(thread);
          SetLastError(RtlNtStatusToDosError(status));
          Exit;
        end;
      Memo.Add(Format('线程 %08x 所在进程ID为 %08x',[dwThreadID,LongWord(tbi.ClientId.UniqueProcess)]));  process := OpenProcess(PROCESS_ALL_ACCESS,
                              FALSE,     
                              DWORD(tbi.ClientId.UniqueProcess));
        
      if process = 0 then
        begin
          error := GetLastError;
          CloseHandle(thread);
          SetLastError(error);
          Exit;
        end;  SetLength(modname,$100);
      SetLength(modname,GetModuleFileNameEx(process,0,PChar(modname),$100));
      Memo.Add(Format('线程 %08x 所在进程映象为 %s',[dwThreadID,modname]));  SetLength(modname,$100);
      SetLength(modname,GetMappedFileName(process,
                              startaddr,
                              PChar(modname),
                              $100));
      Memo.Add(Format('线程 %08x 可执行代码所在模块为 %s',[dwThreadID,modname]));
      CloseHandle(process);
      CloseHandle(thread);
      Result := TRUE;
    end;
    procedure TForm3.Button1Click(Sender: TObject);
    var
      hNTDLL:HMODULE;
      hSnapshot: THandle;
      lpTE:THREADENTRY32;
    begin
      hNTDLL := GetModuleHandle('NTDLL');
      if hNTDLL = 0 then
        begin
          Memo1.Lines.Add('GetModuleHandle(NTDLL) failed!');
          Exit;
        end;
      ZwQueryInformationThread := GetProcAddress(hNTDLL,'ZwQueryInformationThread');
      RtlNtStatusToDosError :=  GetProcAddress(hNTDLL,'RtlNtStatusToDosError');
      hSnapshot := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
      lpTE.dwSize := sizeof(lpTE);
      if Thread32First(hSnapshot,lpTE) then
        begin
          Memo1.Lines.BeginUpdate;
          try
            Repeat
              if Not ShowThreadInfo(lpTE.th32ThreadID,Memo1.Lines) then
                Memo1.Lines.Add(Format('无法获得线程 %08x 的相关信息,错误代码为 %d',[lpTE.th32ThreadID,GetLastError]));
            Until Not Thread32Next(hSnapshot,lpTE);
          finally
            Memo1.Lines.EndUpdate;
          end;
        end;
      CloseHandle(hSnapshot);
    end;
      

  9.   

    http://topic.csdn.net/u/20081103/19/a5bac985-449b-4be1-9dcc-f5ac26311bef.html?seed=237798463  代码有点错误~~ ,错误号5 . 我把输出写在那个贴子里了..错在哪里了呢..
      

  10.   

    我测试的环境是Windows 2003 SP2 + Administrator
    ...
    线程     12D4 的起始地址为 448F1C1D
    线程     12D4 所在进程ID为     137C
    线程     12D4 所在进程映象为 C:\Program Files\Internet Explorer\iexplore.exe
    线程     12D4 可执行代码所在模块为 \Device\HarddiskVolume1\WINDOWS\system32\dxtrans.dll
    线程     13E8 的起始地址为 0045A71C
    线程     13E8 所在进程ID为     1594
    线程     13E8 所在进程映象为 C:\Documents and Settings\Administrator\My Documents\RAD Studio\Projects\Project1.exe
    线程     13E8 可执行代码所在模块为 \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\RAD Studio\Projects\Project1.exe
    线程      95C 的起始地址为 7C93E1FA
    线程      95C 所在进程ID为     1594
    线程      95C 所在进程映象为 C:\Documents and Settings\Administrator\My Documents\RAD Studio\Projects\Project1.exe
    线程      95C 可执行代码所在模块为 \Device\HarddiskVolume1\WINDOWS\system32\ntdll.dll
    线程     15FC 的起始地址为 10003F71
    线程     15FC 所在进程ID为     1594
    线程     15FC 所在进程映象为 C:\Documents and Settings\Administrator\My Documents\RAD Studio\Projects\Project1.exe
    线程     15FC 可执行代码所在模块为 \Device\HarddiskVolume2\Program Files\Kingsoft\PowerWord Lite\CBSText.dll
    线程      3E4 的起始地址为 10003F71
    线程      3E4 所在进程ID为     1594
    线程      3E4 所在进程映象为 C:\Documents and Settings\Administrator\My Documents\RAD Studio\Projects\Project1.exe
    线程      3E4 可执行代码所在模块为 \Device\HarddiskVolume2\Program Files\Kingsoft\PowerWord Lite\CBSText.dll
      

  11.   

    ... 不清楚了 我测试的环境 XP SP2,,
       我电脑一直有毒 但是C盘东西太多太乱太重要, 还不能重装系统,等以后吧~~~   我用提权后就好使了!