刺激战场
  • 1666阅读
  • 1回复

DbgkExitThread, DbgkExitProcess [复制链接]

上一主题 下一主题
离线天道酬勤
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-02-02
— 本帖被 天道酬勤 从 驱动保护 移动到本区(2016-05-19) —

线程创建和进程要做的事情稍微多一点, 但是线程退出和进程退出要做的事情就不多了. 再加上上一篇我们已经分析了几个调试辅助函数, 所以这篇有营养的

内容其实不多.


有创建就有销毁, 发起销毁调用的是PspExitThread, 下面摘抄一段他的代码.



01
//
02
// 如果调试端口不为空, 那么调用调试支持函数.
03
//
04
if (Process->DebugPort != NULL) {
05
    //
06
    // Don't report system thread exit to the debugger as we don't report them.
07
    //
08
    if (!IS_SYSTEM_THREAD (Thread)) {
09
        if (LastThread) {
10
            DbgkExitProcess (Process->ExitStatus);
11
        } else {
12
            DbgkExitThread (ExitStatus);
13
        }
14
    }
15
}
1
事实上, 销毁这边的代码是非常的简单的. 都不多. 这是线程退出的代码DbgkExitThread, 来自ReactOS.
01
VOID
02
NTAPI
03
DbgkExitThread(IN NTSTATUS ExitStatus)
04
{
05
    DBGKM_MSG ApiMessage;
06
    PDBGKM_EXIT_THREAD ExitThread = &ApiMessage.ExitThread;
07
    PEPROCESS Process = PsGetCurrentProcess();
08
    PETHREAD Thread = PsGetCurrentThread();
09
    BOOLEAN Suspended;
10
    PAGED_CODE();
11

12
    //
13
    // 一些参数检测, 没有什么营养
14
    //
15
    if ((Thread->HideFromDebugger) ||
16
        !(Process->DebugPort) ||
17
        (Thread->DeadThread))
18
    {
19
        /* Don't notify the debugger */
20
        return;
21
    }
22

23
    //
24
    // 填充线程退出信息结构
25
    //
26
    ExitThread->ExitStatus = ExitStatus;
27

28
    /* Setup the API Message */
29
    ApiMessage.h.u1.Length = sizeof(DBGKM_MSG) << 16 |
30
                             (8 + sizeof(DBGKM_EXIT_THREAD));
31
    ApiMessage.h.u2.ZeroInit = 0;
32
    ApiMessage.h.u2.s2.Type = LPC_DEBUG_EVENT;
33
    ApiMessage.ApiNumber = DbgKmExitThreadApi;
34

35
    //
36
    // 挂起除了本线程外的所有线程, 其实是脱裤子放屁, DbgkpSuspendProcess也有这个代码
37
    //
38
    Suspended = DbgkpSuspendProcess();
39

40
    /* Send the message */
41
    DbgkpSendApiMessage(&ApiMessage, FALSE);
42

43
    /* Resume the process if needed */
44
    if (Suspended)
45
    {
46
        DbgkpResumeProcess();
47
    }
48
}
1
下面是DbgkExitProcess的代码, 也没有做太多事情..
01
VOID
02
NTAPI
03
DbgkExitProcess(IN NTSTATUS ExitStatus)
04
{
05
    DBGKM_MSG ApiMessage;
06
    PDBGKM_EXIT_PROCESS ExitProcess = &ApiMessage.ExitProcess;
07
    PEPROCESS Process = PsGetCurrentProcess();
08
    PETHREAD Thread = PsGetCurrentThread();
09
    PAGED_CODE();
10

11
    // 参数判断
12
    if ((Thread->HideFromDebugger) ||
13
        !(Process->DebugPort) ||
14
        (Thread->DeadThread))
15
    {
16
        /* Don't notify the debugger */
17
        return;
18
    }
19

20
    //
21
    // 填写调试信息结构
22
    //
23
    ExitProcess->ExitStatus = ExitStatus;
24

25
    /* Setup the API Message */
26
    ApiMessage.h.u1.Length = sizeof(DBGKM_MSG) << 16 |
27
                             (8 + sizeof(DBGKM_EXIT_PROCESS));
28
    ApiMessage.h.u2.ZeroInit = 0;
29
    ApiMessage.h.u2.s2.Type = LPC_DEBUG_EVENT;
30
    ApiMessage.ApiNumber = DbgKmExitProcessApi;
31

32
    /* Set the current exit time */
33
    KeQuerySystemTime(&Process->ExitTime);
34

35
    /* Send the message */
36
    DbgkpSendApiMessage(&ApiMessage, FALSE);
37
}
view sourceprint?
1

离线v2680267313

只看该作者 沙发  发表于: 2016-04-30
用户被禁言,该主题自动屏蔽!
快速回复
限100 字节
批量上传需要先选择文件,再选择上传
 
上一个 下一个