7.7 在实际上下文中谈CONTEXT结构
(1)线程CONTEXT记录线程的状态(如CPU各寄存器状态),以供下次调度时从停止处继续。
(2)CONTEXT的结构(要获得或设置时,必须在Context.ContextFlags设置相应的标志)
|
标志 |
说明 |
|
CONTEXT_CONTROL |
控制寄存器,如EIP、ESP,EBP等 |
|
CONTEXT_INTEGER |
整数寄存器,如EDI、ESI、EBX、EDX、ECX、EAX等 |
|
CONTEXT_FLOATING_POINT |
浮点寄存器,将寄存器结果返回到FLOATING_SAVE_AREA FloagSave |
|
CONTEXT_SEGMENTS |
段寄存器,如GS、FS、ES、DS |
|
CONTEXT_DEBUG_REGISTERS |
调试寄存器,如DR0、……、DR7 |
|
CONTEXT_EXTENDED_REGISTERS |
扩展寄存器,将寄存器的结果返回到 BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION]数组中 |
★CONTEXT_FULL标志 = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS
(3)获取和设置上下文
①先挂起线程和设置CONTEXT结构体相应的标志
②Get\SetThreadContext;
【ThreadContext程序】显示线程上下文的CPU寄存器状态
#include <windows.h>
#include <tchar.h>
#include <locale.h>
//线程函数
DWORD WINAPI ThreadProc(PVOID pvParam)
{
HANDLE hEvent = (HANDLE)pvParam;
WaitForSingleObject(hEvent, INFINITE);
CloseHandle(hEvent);
return 0;
}
int _tmain()
{
_tsetlocale(LC_ALL, _T("chs"));
HANDLE hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
HANDLE hEventDup = NULL;
DuplicateHandle(GetCurrentProcess(), hEvent,
GetCurrentProcess(), &hEventDup,
DUPLICATE_SAME_ACCESS,FALSE,0);
HANDLE hThread = CreateThread(NULL, 0, ThreadProc, hEventDup,
CREATE_SUSPENDED,NULL);
ResumeThread(hThread);
SuspendThread(hThread);
CONTEXT ct = {0};
ct.ContextFlags = CONTEXT_ALL;
GetThreadContext(hThread, &ct);
//显示CONTEXT的内容
_tprintf(_T("CPU寄存器状态:\n"));
_tprintf(_T("\tEAX=0x%08X,EBX=0x%08X\n"),ct.Eax,ct.Ebx);
_tprintf(_T("\tECX=0x%08X,EDX=0x%08X\n"), ct.Ecx, ct.Edx);
_tprintf(_T("\tESI=0x%08X,EDI=0x%08X\n"), ct.Esi, ct.Edi);
_tprintf(_T("\tEIP=0x%08X,ESP=0x%08X\n"), ct.Eip, ct.Esp);
_tprintf(_T("\tEBP=0x%08X,EFL=0x%08X\n"), ct.Ebp, ct.EFlags);
ResumeThread(hThread);
SetEvent(hEvent);
CloseHandle(hEvent);
CloseHandle(hThread);
_tsystem(_T("PAUSE"));
return 0;
}
时间: 2024-10-02 22:53:23