代码1
#define _WIN32_WINNT 0x0400
#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料
#include <iostream>
#include <windows.h>
#include <Winbase.h>
using namespace std;
DWORD WINAPI WorkThread(LPVOID pParam)
{
HANDLE Event = (HANDLE)pParam;
for(;;)
{
DWORD dwRet = WaitForSingleObjectEx(Event, INFINITE, TRUE);
if(dwRet == WAIT_OBJECT_0)
break;
else
if(dwRet == WAIT_IO_COMPLETION)
printf("WAIT_IO_COMPLETION\n");
return 0;
}
}
VOID WINAPI APCProc(LPVOID dwParam)
{
printf("%s", (PVOID)dwParam);
}
void TestAPC(BOOL bFast)
{
HANDLE QuitEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
HANDLE hThread = CreateThread(NULL,
0,
WorkThread,
(LPVOID)QuitEvent,
0,
NULL);
Sleep(100); // Wait for WorkThread initialized.
for(int i=5; i>0; i--)
{
QueueUserAPC((PAPCFUNC)APCProc, hThread, (DWORD)(PVOID)"APC here\n");
if(!bFast)
Sleep(1000);
}
SetEvent(QuitEvent);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
int main()
{
TestAPC(true);
return 0;
}
#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料
#include <iostream>
#include <windows.h>
#include <Winbase.h>
using namespace std;
DWORD WINAPI WorkThread(LPVOID pParam)
{
HANDLE Event = (HANDLE)pParam;
for(;;)
{
DWORD dwRet = WaitForSingleObjectEx(Event, INFINITE, TRUE);
if(dwRet == WAIT_OBJECT_0)
break;
else
if(dwRet == WAIT_IO_COMPLETION)
printf("WAIT_IO_COMPLETION\n");
return 0;
}
}
VOID WINAPI APCProc(LPVOID dwParam)
{
printf("%s", (PVOID)dwParam);
}
void TestAPC(BOOL bFast)
{
HANDLE QuitEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
HANDLE hThread = CreateThread(NULL,
0,
WorkThread,
(LPVOID)QuitEvent,
0,
NULL);
Sleep(100); // Wait for WorkThread initialized.
for(int i=5; i>0; i--)
{
QueueUserAPC((PAPCFUNC)APCProc, hThread, (DWORD)(PVOID)"APC here\n");
if(!bFast)
Sleep(1000);
}
SetEvent(QuitEvent);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
int main()
{
TestAPC(true);
return 0;
}
代码2
#define _WIN32_WINNT 0x0400
#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料
#include <windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
#include <stdlib.h>
typedef HANDLE (CALLBACK *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);
typedef unsigned long ULONG_PTR;
typedef struct _TIDLIST
{
DWORD dwTid ;
_TIDLIST *pNext ;
}TIDLIST;
DWORD EnumThread(HANDLE hProcess, TIDLIST *pThreadIdList)
{
TIDLIST *pCurrentTid = pThreadIdList ;
HANDLE hThread;
const char szInjectModName[] = "c:\\sysnap.dll" ;
DWORD dwLen = strlen(szInjectModName) ;
HMODULE hDll = GetModuleHandle("Kernel32.dll");
PVOID param = VirtualAllocEx(hProcess, \
NULL, dwLen, MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE) ;
if (param != NULL)
{
DWORD dwRet ;
if (WriteProcessMemory(hProcess, param, (LPVOID)szInjectModName, dwLen, &dwRet))
{
while (pCurrentTid)
{
OPENTHREAD lpfnOpenThread = (OPENTHREAD)::GetProcAddress(hDll, "OpenThread");
hThread = lpfnOpenThread(THREAD_ALL_ACCESS,FALSE,pCurrentTid->dwTid);
if (hThread != NULL)
{
//
// 注入DLL到指定进程
//
QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)param) ;
}
printf("TID:%d\n", pCurrentTid->dwTid) ;
pCurrentTid = pCurrentTid->pNext ;
}
}
}
return 0 ;
}
DWORD GetProcID(const char *szProcessName)
{
PROCESSENTRY32 pe32 = {0} ;
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) ;
if (hSnapshot == INVALID_HANDLE_VALUE)
{
return 0xFFFFFFFF ;
}
if (!Process32First(hSnapshot, &pe32))
{
return 0xFFFFFFFF ;
}
do
{
if (!_strnicmp(szProcessName, pe32.szExeFile, strlen(szProcessName)))
{
printf("%s的PID是:%d\n", pe32.szExeFile, pe32.th32ProcessID);
return pe32.th32ProcessID ;
}
} while(Process32Next(hSnapshot, &pe32));
return 0xFFFFFFFF ;
}
TIDLIST* InsertTid(TIDLIST *pdwTidListHead, DWORD dwTid)
{
TIDLIST *pCurrent = NULL ;
TIDLIST *pNewMember = NULL ;
if (pdwTidListHead == NULL)
{
return NULL ;
}
pCurrent = pdwTidListHead ;
while (pCurrent != NULL)
{
if (pCurrent->pNext == NULL)
{
//
// 定位到链表最后一个元素
//
pNewMember = (TIDLIST *)malloc(sizeof(TIDLIST)) ;
if (pNewMember != NULL)
{
pNewMember->dwTid = dwTid ;
pNewMember->pNext = NULL ;
pCurrent->pNext = pNewMember ;
return pNewMember ;
}
else
{
return NULL ;
}
}
pCurrent = pCurrent->pNext ;
}
return NULL ;
}
int EnumThreadID(DWORD dwPID, TIDLIST *pdwTidList)
{
int i = 0 ;
THREADENTRY32 te32 = {0} ;
te32.dwSize= sizeof(THREADENTRY32) ;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,dwPID) ;
if(hSnapshot != INVALID_HANDLE_VALUE)
{
if(Thread32First(hSnapshot,&te32))
{
do
{
if(te32.th32OwnerProcessID==dwPID)
{
if (pdwTidList->dwTid == 0)
{
pdwTidList->dwTid = te32.th32ThreadID ;
}
else
{
if (NULL == InsertTid(pdwTidList, te32.th32ThreadID))
{
printf("插入失败!\n") ;
return 0 ;
}
}
}
}while(Thread32Next(hSnapshot,&te32));
}
}
return 1 ;
}
void RemoveTid(TIDLIST *pdwTidListHead)
{
TIDLIST *pCurrent = NULL ;
TIDLIST *pNext = NULL ;
if (pdwTidListHead == NULL)
{
return;
}
pCurrent = pdwTidListHead ;
while (pCurrent != NULL)
{
pNext = pCurrent->pNext;
free(pCurrent);
pCurrent = pNext;
}
}
int main(int argc, char* argv[])
{
TIDLIST *pTidHead = (TIDLIST *)malloc(sizeof(TIDLIST)) ;
if (pTidHead == NULL)
{
return 1 ;
}
RtlZeroMemory(pTidHead, sizeof(TIDLIST)) ;
DWORD dwPID = 0 ;
if ((dwPID = GetProcID("explorer.exe")) == 0xFFFFFFFF)
{
printf("进程ID获取失败!\n") ;
return 1 ;
}
//
// 枚举线程ID
//
EnumThreadID(dwPID, pTidHead) ;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID) ;
if (hProcess == NULL)
{
return 1 ;
}
EnumThread(hProcess, pTidHead) ;
CloseHandle(hProcess);
RemoveTid(pTidHead);
return 0;
}
#define WIN32_LEAN_AND_MEAN // 从 Windows 头中排除极少使用的资料
#include <windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
#include <stdlib.h>
typedef HANDLE (CALLBACK *OPENTHREAD) (DWORD dwFlag, BOOL bUnknow, DWORD dwThreadId);
typedef unsigned long ULONG_PTR;
typedef struct _TIDLIST
{
DWORD dwTid ;
_TIDLIST *pNext ;
}TIDLIST;
DWORD EnumThread(HANDLE hProcess, TIDLIST *pThreadIdList)
{
TIDLIST *pCurrentTid = pThreadIdList ;
HANDLE hThread;
const char szInjectModName[] = "c:\\sysnap.dll" ;
DWORD dwLen = strlen(szInjectModName) ;
HMODULE hDll = GetModuleHandle("Kernel32.dll");
PVOID param = VirtualAllocEx(hProcess, \
NULL, dwLen, MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE) ;
if (param != NULL)
{
DWORD dwRet ;
if (WriteProcessMemory(hProcess, param, (LPVOID)szInjectModName, dwLen, &dwRet))
{
while (pCurrentTid)
{
OPENTHREAD lpfnOpenThread = (OPENTHREAD)::GetProcAddress(hDll, "OpenThread");
hThread = lpfnOpenThread(THREAD_ALL_ACCESS,FALSE,pCurrentTid->dwTid);
if (hThread != NULL)
{
//
// 注入DLL到指定进程
//
QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)param) ;
}
printf("TID:%d\n", pCurrentTid->dwTid) ;
pCurrentTid = pCurrentTid->pNext ;
}
}
}
return 0 ;
}
DWORD GetProcID(const char *szProcessName)
{
PROCESSENTRY32 pe32 = {0} ;
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) ;
if (hSnapshot == INVALID_HANDLE_VALUE)
{
return 0xFFFFFFFF ;
}
if (!Process32First(hSnapshot, &pe32))
{
return 0xFFFFFFFF ;
}
do
{
if (!_strnicmp(szProcessName, pe32.szExeFile, strlen(szProcessName)))
{
printf("%s的PID是:%d\n", pe32.szExeFile, pe32.th32ProcessID);
return pe32.th32ProcessID ;
}
} while(Process32Next(hSnapshot, &pe32));
return 0xFFFFFFFF ;
}
TIDLIST* InsertTid(TIDLIST *pdwTidListHead, DWORD dwTid)
{
TIDLIST *pCurrent = NULL ;
TIDLIST *pNewMember = NULL ;
if (pdwTidListHead == NULL)
{
return NULL ;
}
pCurrent = pdwTidListHead ;
while (pCurrent != NULL)
{
if (pCurrent->pNext == NULL)
{
//
// 定位到链表最后一个元素
//
pNewMember = (TIDLIST *)malloc(sizeof(TIDLIST)) ;
if (pNewMember != NULL)
{
pNewMember->dwTid = dwTid ;
pNewMember->pNext = NULL ;
pCurrent->pNext = pNewMember ;
return pNewMember ;
}
else
{
return NULL ;
}
}
pCurrent = pCurrent->pNext ;
}
return NULL ;
}
int EnumThreadID(DWORD dwPID, TIDLIST *pdwTidList)
{
int i = 0 ;
THREADENTRY32 te32 = {0} ;
te32.dwSize= sizeof(THREADENTRY32) ;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,dwPID) ;
if(hSnapshot != INVALID_HANDLE_VALUE)
{
if(Thread32First(hSnapshot,&te32))
{
do
{
if(te32.th32OwnerProcessID==dwPID)
{
if (pdwTidList->dwTid == 0)
{
pdwTidList->dwTid = te32.th32ThreadID ;
}
else
{
if (NULL == InsertTid(pdwTidList, te32.th32ThreadID))
{
printf("插入失败!\n") ;
return 0 ;
}
}
}
}while(Thread32Next(hSnapshot,&te32));
}
}
return 1 ;
}
void RemoveTid(TIDLIST *pdwTidListHead)
{
TIDLIST *pCurrent = NULL ;
TIDLIST *pNext = NULL ;
if (pdwTidListHead == NULL)
{
return;
}
pCurrent = pdwTidListHead ;
while (pCurrent != NULL)
{
pNext = pCurrent->pNext;
free(pCurrent);
pCurrent = pNext;
}
}
int main(int argc, char* argv[])
{
TIDLIST *pTidHead = (TIDLIST *)malloc(sizeof(TIDLIST)) ;
if (pTidHead == NULL)
{
return 1 ;
}
RtlZeroMemory(pTidHead, sizeof(TIDLIST)) ;
DWORD dwPID = 0 ;
if ((dwPID = GetProcID("explorer.exe")) == 0xFFFFFFFF)
{
printf("进程ID获取失败!\n") ;
return 1 ;
}
//
// 枚举线程ID
//
EnumThreadID(dwPID, pTidHead) ;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID) ;
if (hProcess == NULL)
{
return 1 ;
}
EnumThread(hProcess, pTidHead) ;
CloseHandle(hProcess);
RemoveTid(pTidHead);
return 0;
}
以下五个函数能够使线程进入告警状态:
SleepEx
WaitForSingleObjectEx
WaitForMultipleObjectsEx
SignalObjectAndWait
MsgWaitForMultipleObjectsEx
线程进入告警状态时,内核将会检查线程的APC队列,如果队列中有APC,将会按FIFO方式依次执行。如果队列为空,线程将会挂起等待事件对象。以后的某个时刻,一旦APC进入队列,线程将会被唤醒执行APC,同时等待函数返回WAIT_IO_COMPLETION。
QueueUserAPC可以用来人为投递APC,只要目标线程处于告警状态时,APC就能够得到执行。
使用告警IO的主要缺点是发出IO请求的线程也必须是处理结果的线程,如果一个线程退出时还有未完成的IO请求,那么应用程序将永远丢失IO完成通知。然而以后我们将会看到IO完成端口没有这个限制。