Владелец Thread-а

← →
Ученик © (2002-09-03 18:36) [0]

Есть идентификатор thread-а, можно вызвать OpenThread (Windows 2000), есть ли простой способ узнать откуда этот Thread (из какого процесса) ?

← →
MBo © (2002-09-04 07:05) [1]

знаю только способ с CreateToolhelp32Snapshot и THREADENTRY32.th32OwnerProcessID

← →
Ученик © (2002-09-04 08:30) [2]

>MBo © (04.09.02 07:05)
Спасибо, но это все-таки перебор, как и через NtQuerySystemInformation, может все-таки у кого-нибудь найдется способ определять процесс-владелец, как например, определяется пользователь, запустивший процесс, или что-нибудь недокументированное.

← →
Ученик © (2002-09-04 13:11) [3]

>Ученик © (03.09.02 18:36)

const
THREAD_TERMINATE = $0001;
THREAD_SUSPEND_RESUME = $0002;
THREAD_GET_CONTEXT = $0008;
THREAD_SET_CONTEXT = $0010;
THREAD_SET_INFORMATION = $0020;
THREAD_QUERY_INFORMATION = $0040;
THREAD_SET_THREAD_TOKEN = $0080;
THREAD_IMPERSONATE = $0100;
THREAD_DIRECT_IMPERSONATION = $0200;

type
NTSTATUS = DWORD;

TThreadBasicInformation = packed record
ExitStatus : NTSTATUS;
TebBaseAddress : Pointer;
UniqueProcessId : ULONG;
UniqueThreadId : ULONG;
AffinityMask : ULONG;
BasePriority : ULONG;
DiffProcessPriority : ULONG;
end;

function OpenThread(dwDesiredAccess : DWORD; // access right
bInheritHandle : BOOL; // handle inheritance option
dwThreadId : DWORD) : // thread identifier
THandle; stdcall; external "kernel32.dll";

function NtQueryInformationThread(hThread : THandle;
ThreadInfoClass : DWord{TThreadInfoClass};
ThreadInfoBuffer : Pointer;
ThreadInfoBufferLength : DWord;
pdwBytesReturned : PDWord) : NTSTATUS; stdcall; external "ntdll.dll";

function GetThreadProcessID(aThreadID : DWord) : DWord;
var
hThread : THandle;
TBI : TThreadBasicInformation;
dwSize : DWord;
begin
Result := 0;
hThread := OpenThread(THREAD_QUERY_INFORMATION, False, aThreadID);
if hThread <> 0 then try
if NtQueryInformationThread(hThread, 0, @TBI, SizeOf(TBI), @dwSize) = 0 then
Result := TBI.UniqueProcessId
finally
CloseHandle(hThread)
end
end;

Название модуля-владельца Thread-а

type
TThreadInfoClass = (ThreadBasicInformation, ThreadTimes, ThreadPriority,
ThreadBasePriority,ThreadAffinityMask,
ThreadImpersonationToken,ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,ThreadZeroTlsCell,
ThreadPerformanceCount,ThreadAmILastThread,
ThreadIdealProcessor,ThreadPriorityBoost,
ThreadSetTlsArrayAddress,ThreadIsIoPending,
ThreadHideFromDebugger,MaxThreadInfoClass);

NTSTATUS = DWORD;

TThreadBasicInformation = packed record
ExitStatus : NTSTATUS;
TebBaseAddress : Pointer;
UniqueProcessId : ULONG;
UniqueThreadId : ULONG;
AffinityMask : ULONG;
BasePriority : ULONG;
DiffProcessPriority : ULONG;
end;

const
THREAD_QUERY_INFORMATION = $0040;

function OpenThread(dwDesiredAccess : DWORD; // access right
bInheritHandle : BOOL; // handle inheritance option
dwThreadId : DWORD) : // thread identifier
THandle; stdcall; external "kernel32.dll";

function NtQueryInformationThread(hThread : THandle;
ThreadInfoClass : TThreadInfoClass;
ThreadInfoBuffer : Pointer;
ThreadInfoBufferLength : DWord;
pdwBytesReturned : PDWord) : NTSTATUS; stdcall; external "ntdll.dll";

function GetModuleFileNameEx(hProcess: THandle; hModule: HMODULE;
lpFilename: PChar; nSize: DWORD): DWORD; stdcall; external "psapi.dll" name "GetModuleFileNameExA";

function ThreadModuleName(aThreadID : DWord; var ModuleName : string) : Boolean;
var
hProcess, hThread : THandle;
dwSize : DWord;
MemInfo: TMemoryBasicInformation;
TBI : TThreadBasicInformation;
StartAddress : Pointer;
szModuleName : array[0..MAX_PATH] of Char;
begin
Result := False; ModuleName := "";
hThread := OpenThread(THREAD_QUERY_INFORMATION, False, aThreadID);
if hThread <> 0 then try
if (NtQueryInformationThread(hThread, ThreadBasicInformation, @TBI, SizeOf(TBI), @dwSize) = 0) and
(NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, @StartAddress, SizeOf(StartAddress), @dwSize) = 0) then begin
hProcess := OpenProcess(PROCESS_VM_READ or PROCESS_QUERY_INFORMATION, False, TBI.UniqueProcessId);
if hProcess <> 0 then try
if VirtualQueryEx(hProcess, StartAddress, MemInfo, SizeOf(MemInfo)) > 0 then begin
if MemInfo.State = MEM_COMMIT then
if GetModuleFileNameEx(hProcess, THandle(MemInfo.AllocationBase), szModuleName, MAX_PATH) > 0 then begin
ModuleName := StrPas(szModuleName);
Result := True
end
end
finally
CloseHandle(hProcess)
end
end
finally
CloseHandle(hThread)
end
end;

P.S. Спасибо Digitman ©

Владелец Thread-а Найти похожие ветки