;--------------根据窗口所在的线程得到该线程的TEB地址
invoke OpenThread,THREAD_QUERY_INFORMATION,FALSE,WINTHREADID
.if eax != NULL
mov THREADHAND,EAX
invoke LoadLibrary,offset Ntdll
invoke GetProcAddress,eax,offset _ZwQueryInformationThread
mov apiquerthread,eax
push 0
push sizeof THREAD_BASIC_INFORMATION
lea ecx,threadinfo
push ecx
push ThreadBasicInformation
push THREADHAND
call apiquerthread
.IF EAX == STATUS_SUCCESS
lea ecx,threadinfo
mov esi,[ecx+4] ;得到TEB了
.ELSE
invoke MessageBox,0,offset errgetteb,offset vp,1
ret
.ENDIF
.else
invoke MessageBox,0,offset erropenthread,offset vp,1
ret
.endif
comment %
;以前的办法目标进程线程太多就不行了.
;fs:18的值是TEB的基址,FS:24线程ID,根据这两个来判断
mov esi,07ffd0000h
@@nextteb:
invoke Toolhelp32ReadProcessMemory,parid,esi,offset buffer1,4,NULL
.if eax == TRUE
mov ecx,esi
add ecx,18h
invoke Toolhelp32ReadProcessMemory,parid,ecx,offset buffer1,4,NULL
.if eax == TRUE
mov eax,offset buffer1
mov eax,[eax]
.if eax == esi
mov ecx,esi
add ecx,24h
invoke Toolhelp32ReadProcessMemory,parid,ecx,offset buffer1,4,NULL
.if eax == TRUE
mov eax,offset buffer1
mov eax,[eax]
.if eax == WINTHREADID
jmp @@getteb
.else
jmp @@next
.endif
.else
jmp @@next
.endif
.else
jmp @@next
.endif
.else
jmp @@next
.endif
.elseif esi>07ffdf000h
ret
.else
@@next:
add esi,1000h
jmp @@nextteb
.endif
@@getteb:
%
invoke wsprintf,offset bufferteb,offset tebformat,esi
invoke MessageBox,0,offset bufferteb,offset vp,1