得到线程入口地址的方式

gggxxx

要获取入口地址，可以用Native API： NtQueryInformationThread，以ThreadQuerySetWin32StartAddress为参数

具体代码：

.h：

#pragma once
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *NTQUERYINFORMATIONTHREAD)(
        HANDLE ThreadHandle,
        ULONG ThreadInformationClass,
        PVOID ThreadInformation,
        ULONG ThreadInformationLength,
        PULONG ReturnLength);
typedef enum _THREADINFOCLASS {
        ThreadBasicInformation,
        ThreadTimes,
        ThreadPriority,
        ThreadBasePriority,
        ThreadAffinityMask,
        ThreadImpersonationToken,
        ThreadDescriptorTableEntry,
        ThreadEnableAlignmentFaultFixup,
        ThreadEventPair_Reusable,
        ThreadQuerySetWin32StartAddress,
        ThreadZeroTlsCell,
        ThreadPerformanceCount,
        ThreadAmILastThread,
        ThreadIdealProcessor,
        ThreadPriorityBoost,
        ThreadSetTlsArrayAddress,   // Obsolete
        ThreadIsIoPending,
        ThreadHideFromDebugger,
        ThreadBreakOnTermination,
        ThreadSwitchLegacyState,
        ThreadIsTerminated,
        ThreadLastSystemCall,
        ThreadIoPriority,
        ThreadCycleTime,
        ThreadPagePriority,
        ThreadActualBasePriority,
        ThreadTebInformation,
        ThreadCSwitchMon,          // Obsolete
        ThreadCSwitchPmu,
        ThreadWow64Context,
        ThreadGroupInformation,
        ThreadUmsInformation,      // UMS
        ThreadCounterProfiling,
        ThreadIdealProcessorEx,
        MaxThreadInfoClass
} THREADINFOCLASS;

class FindThreadStaAddr
{
public:
        FindThreadStaAddr(void);
        ~FindThreadStaAddr(void);


        DWORD GetThreadStartAddr1(DWORD dwThreadId);
};


.cpp

#include "StdAfx.h"
#include "FindThreadStaAddr.h"

FindThreadStaAddr::FindThreadStaAddr(void)
{
}

FindThreadStaAddr::~FindThreadStaAddr(void)
{
}


DWORD FindThreadStaAddr::GetThreadStartAddr1(DWORD dwThreadId)
{
        HMODULE hNtdll = LoadLibrary(_T("ntdll.dll"));
        if (!hNtdll)
        {
                return 0;
        }

        NTQUERYINFORMATIONTHREAD NtQueryInformationThread = NULL;
        NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)
         GetProcAddress(hNtdll, "NtQueryInformationThread");
        if (!NtQueryInformationThread)
        {
                return 0;
        }

        HANDLE ThreadHandle = NULL;
        ThreadHandle = OpenThread(THREAD_QUERY_INFORMATION, FALSE, dwThreadId);
        if (!ThreadHandle)
        {
                return 0;
        }

        DWORD dwStaAddr = NULL;
        DWORD dwReturnLength = 0;
        if(NtQueryInformationThreadtion(ThreadHandle, ThreadQuerySetWin32StartAddress,
        &dwStaAddr, sizeof(dwStaAddr), &dwReturnLength))
        {
                return 0;
        }

        return dwStaAddr;
}

要注意的是

1.NtQueryInformationThread成功返回的是STATUS_SUCCESS（0）
另一种判断的方式是直接hook  LdrInitializeThunk
贴个原型:
typedef void (__stdcall *LDRINITIALIZETHUNK)(ULONG param0, ULONG param1, ULONG param2, ULONG param3);

PCONTEXT    pContext;
pContext = (PCONTEXT);
pContext->Eax即为函数入口地址

这个是入口地址，而且是在没有进入入口函数地址之前调用的，所以可以在这里判断是否需要KILL此线程.