在一個線程出現異常行為時,比如說CPU佔用率過高,拋出異常等,你一定想知道這個線程是由哪個模組建立的。因此無論在哪個作業系統上,擷取線程名稱是診斷線程相關問題的重要一步。
從線程ID擷取線程名稱通常的方法是,先擷取該線程的入口地址,然後枚舉進程內所有已載入模組,最後判斷線程入口地址落在哪個載入模組範圍內。枚舉 進程內已載入模組可用Win32標準的CreateToolhelp32Snapshot/Module32First/Module32Next系列 ToolHelp API得到。擷取線程入口地址則沒有線程的Win32 API可用。不過在Windows NT based作業系統上(包括Windows NT 4.0/2000/XP/2003,等),有一個未公開的Native API可用:NtQueryInformationThread。其聲明如下:
DWORD WINAPI NtQueryInformationThread(
HANDLE ThreadHandle,
THREAD_INFORMATION_CLASS ThreadInformationClass,
PVOID ThreadInformation,
ULONG ThreadInformationLength,
PULONG ReturnLength
);
擷取線程入口地址可用:
DWORD GetThreadStartAddress(DWORD dwThreadId)
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadId);
DWORD retaddr, len, error;
retaddr = len = 0;
error = NtQueryInformationThread( hThread, 9, &retaddr, sizeof(retaddr), &len );
CloseHandle(hThread);
if( error != 0 )
retaddr = 0;
return retaddr;
}
在Windows CE上就沒這麼幸運了,沒有任何現成的API可用。官方Windows CE Base Team的blog對這個問題的 回答是可以用Remote Kernel Tracker,不過這需要你build一個特殊的kernel image,enable一些profiler功能-這在顯示的問題診斷中顯然是不實際的。那麼有沒有辦法不需要什麼特殊的配置就可像Windows案頭 作業系統那樣獲得入口地址呢?有是有的,不過需要一些hack手段。仔細研究CE下的Thread核心資料結構,就會發現Thread結構中有一項是記錄 線程入口地址的。
typedef struct Thread {
DWORD _1[3];
PPROCESS pProc; /* 0C: pointer to current process */
PPROCESS pOwnerProc; /* 10: pointer to owner process */
DWORD _2[18];
DWORD dwStartAddr; /* 5c: thread PC at creation, used to get thread name */
DWORD _3[10];
}THREAD, *PTHREAD; /* Thread */
因此要做的就是想辦法根據線程ID或handle得到這個資料。再研究,發現線程的Thread核心資料結構可通過控制代碼得到:
PTHREAD pTh = HandleToThread(ThreadHandle);
而且,在Windows CE下,線程ID和其handle的值是一樣的!!因此我們可以寫一個這樣的函數從線程ID拿到入口地址:
DWORD GetThreadStartAddress(DWORD dwThreadId)
{
DWORD dwStartAddress = 0;
BOOL fOldMode = SetKMode(TRUE);
PTHREAD pTh = HandleToThread((HANDLE)dwThreadId);
if (pTh)
{
dwStartAddress = (DWORD)MapPtrToProcess((LPVOID)pTh->dwStartAddr, pTh->pOwnerProc->hProc);
}
return dwStartAddress;
}
為了使用這些核心資料結構,我們還需要另外一些輔助結構和函數,比較完整的代碼如下。當然,官方肯定是不建議這麼做的,但是重要的是解決問題,你說呢。
typedef struct Process {
DWORD _1[2];
HANDLE hProc; /* 08: handle for this process, needed only for SC_GetProcFromPtr */
}PROCESS, *PPROCESS;
typedef struct Thread {
DWORD _1[3];
PPROCESS pProc; /* 0C: pointer to current process */
PPROCESS pOwnerProc; /* 10: pointer to owner process */
DWORD _2[18];
DWORD dwStartAddr; /* 5c: thread PC at creation, used to get thread name */
DWORD _3[10];
}THREAD, *PTHREAD; /* Thread */
typedef struct cinfo {
char acName[4]; /* 00: object type ID string */
uchar disp; /* 04: type of dispatch */
uchar type; /* 05: api handle type */
ushort cMethods; /* 06: # of methods in dispatch table */
const PFNVOID *ppfnMethods;/* 08: ptr to array of methods (in server address space) */
const DWORD *pdwSig; /* 0C: ptr to array of method signatures */
PPROCESS pServer; /* 10: ptr to server process */
} CINFO; /* cinfo */
typedef CINFO *PCINFO;
typedef struct _HDATA HDATA, *PHDATA;
struct _HDATA {
DWORD _1[2]; /* 00: links for active handle list */
HANDLE hValue; /* 08: Current value of handle (nonce) */
DWORD lock; /* 0C: access information */
DWORD ref; /* 10: reference information */
const CINFO *pci; /* 14: ptr to object class description structure */
PVOID pvObj; /* 18: ptr to object */
DWORD dwInfo; /* 1C: extra handle info */
}; /* 20: sizeof(HDATA) */
#ifdef x86
struct KDataStruct {
LPDWORD lpvTls; /* 0x000 Current thread local storage pointer */
HANDLE ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */
DWORD _1[4];
ulong handleBase; /* 0x094 base address of handle table */
}; /* KDataStruct */
#endif
#ifdef ARM
struct KDataStruct {
LPDWORD lpvTls; /* 0x000 Current thread local storage pointer */
HANDLE ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */
DWORD _1[6];
ulong handleBase; /* 0x09c handle table base address */
}; /* KDataStruct */
#endif
#define HandleToThread(h) ((THREAD *)GetObjectPtrByType((h),SH_CURTHREAD))
#define HANDLE_ADDRESS_MASK 0x1ffffffc
void h2p(HANDLE h, PHDATA& phdRet)
{
if ((ulong)h < NUM_SYS_HANDLES+SYS_HANDLE_BASE && (ulong)h >= SYS_HANDLE_BASE)
h = ((KDataStruct*)PUserKData)->ahSys[(uint)h-SYS_HANDLE_BASE];
if (h)
