0 Basic Reverse Engineering 34_win32_08_ threading Control _context structure

Threading Control experiments

Suspending threads

::SuspendThread(hThread);

Recovery thread

::ResumeThread(hThread);

Terminating a thread (this is a synchronous call and an asynchronous call)

方式一：    此方法结束线程会自动清理堆栈          ::ExitThread(DWORD dwExitCode);             方式二：                线程函数返回              方式三：    而此方法结束线程不会自动清理堆栈            ::TerminateThread(hThread,2);       ::WaitForSingleObject(hThread,INFINITE);        

Determines whether the thread ends

BOOL GetExitCodeThread(  HANDLE hThread,  LPDWORD lpExitCode);

Still_active is running

参数：hThread: 要结束的线程句柄dwExitCode: 指定线程的退出代码。可以通过GetExitCodeThread来查看一个线程的退出代码

Threads: Context structure causes

When each thread executes, it consumes one CPU on its own, and when the number of threads in the system > The number of CPUs, there is a situation where multiple threads share a single CPU. But the CPU can only run one thread at a time, and windows switches threads every 20 milliseconds, that is, thread a executes to address: 0x2345678eax:1 ecx:2 edx:3 ebx:4 ... there are values in the EFLAG flag register, and so on. At this point, the thread execution time is up, and it is switched to thread B. When thread B's time slice is up, and then thread A is switched, how does the system know which address to start executing from? How to recover the values of the various registers used before being switched?

So we're going to use the context structure.

CONTEXT

This structure contains the register data for the specific processor.

typedef struct _CONTEXT {////The flags values within this flag control the contents of/a CONTEXT record. If The context record is used as a input parameter, then//for each portion of the context record controll  Ed by a flag//whose value was set, it is assumed this that portion of the/context record contains valid context. If the context record//is being used to modify a threads context and then only that//portion of the Threads Contex    T'll be modified. If The context record is used as an in off parameter to capture//the context of a thread, then only those PO    Rtions of the thread ' s//context corresponding to set flags would be returned.    The context record is never used as a out of only parameter.    DWORD Contextflags;  This section is specified/returned if context_debug_registers are//set in Contextflags.    Note that context_debug_registers are not//included in Context_full.   // DWORD Dr0;    DWORD Dr1;    DWORD DR2;    DWORD Dr3;    DWORD DR6;    DWORD Dr7;    This is specified/returned if the//Contextflags word contians the flag context_floating_point.    Floating_save_area Floatsave;    This is specified/returned if the//Contextflags word contians the flag context_segments.    DWORD Seggs;    DWORD Segfs;    DWORD seges;    DWORD Segds;    This is specified/returned if the//Contextflags word contians the flag context_integer.    DWORD Edi;    DWORD Esi;    DWORD EBX;    DWORD EDX;    DWORD Ecx;    DWORD Eax;    This is specified/returned if the//Contextflags word contians the flag Context_control.    DWORD EBP;    DWORD Eip;              DWORD Segcs;             Must be sanitized DWORD eflags;    Must be sanitized DWORD Esp;    DWORD SEGSS; This section is specified/returned if THe contextflags Word//contains the flag context_extended_registers. The format and contexts are processor specific//BYTE extendedregisters[maximum_supported_extension];} CONTEXT;

Get thread Context Structure

//挂起线程  SuspendThread(线程句柄);    CONTEXT context //设置要获取的类型  context.ContextFlags = CONTEXT_CONTROL;     //获取    BOOL ok = ::GetThreadContext(hThread,&context);     //设置    

What are the security implications of this code? What causes it?

HWND hedit;D Word WINAPI ThreadProc1 (lpvoid lpparameter) {TCHAR szbuffer[10];    DWORD dwindex = 0;    DWORD dwcount;        while (dwindex<10) {GetWindowText (hedit,szbuffer,10);        SSCANF (Szbuffer, "%d", &dwcount);        dwcount++;        memset (szbuffer,0,10);        sprintf (Szbuffer, "%d", dwcount);        SetWindowText (Hedit,szbuffer);    dwindex++; } return 0;}    DWORD WINAPI ThreadProc2 (lpvoid lpparameter) {TCHAR szbuffer[10];    DWORD dwindex = 0;    DWORD dwcount;        while (dwindex<10) {GetWindowText (hedit,szbuffer,10);        SSCANF (Szbuffer, "%d", &dwcount);        dwcount++;        memset (szbuffer,0,10);        sprintf (Szbuffer, "%d", dwcount);        SetWindowText (Hedit,szbuffer);    dwindex++; } return 0;}    BOOL CALLBACK maindlgproc (HWND hdlg,uint umsg,wparam wparam,lparam LPARAM) {bool BRet = FALSE;            Switch (umsg) {case wm_close: {enddialog (hdlg,0);        Break } Case Wm_InitDialog: {hedit = GetDlgItem (hdlg,idc_edit1);            SetWindowText (Hedit, "0");        Break } Case Wm_command:switch (LoWord (WParam)) {case IDC_BUTTON_T1: {HAND                LE HThread1 =:: CreateThread (NULL, 0, ThreadProc1, NULL, 0, NULL);                :: CloseHandle (HTHREAD1);            return TRUE;                    } case IDC_BUTTON_T2: {HANDLE hThread2 =:: CreateThread (NULL, 0, THREADPROC2,                NULL, 0, NULL);                :: CloseHandle (HTHREAD2);            return TRUE;    }} break; } return BRet;} int Apientry WinMain (hinstance hinstance, hinstance hprevinstance, LPSTR lpcmd    Line, int. ncmdshow) {//Todo:place code here.    DialogBox (Hinstance,makeintresource (Idd_dialog_main), null,maindlgproc); return 0;}

0 Basic Reverse Engineering 34_win32_08_ threading Control _context structure