windows visata之后线程的实际入口是ntdll!RtlUserThreadStart,我下了一个断点发现win10也是这样,只不过具体实现有些区别,本来我是打算一路找回去看看是不是能找到ntdll!RtlUserThreadStart这个函数的,不过应该要挺久,下次试试2333。单纯为了验证一下线程入口点,于是我就下断看了一下。

ntdll!RtlUserThreadStart:
775d4380 833d68e9677700  cmp     dword ptr [ntdll!LdrDelegatedRtlUserThreadStart (7767e968)],0 ds:002b:7767e968=00000000
775d4387 740e            je      ntdll!RtlUserThreadStart+0x17 (775d4397)
775d4389 8b0d68e96777    mov     ecx,dword ptr [ntdll!LdrDelegatedRtlUserThreadStart (7767e968)]
775d438f ff15e0116877    call    dword ptr [ntdll!__guard_check_icall_fptr (776811e0)]
775d4395 ffe1            jmp     ecx
775d4397 89442404        mov     dword ptr [esp+4],eax
775d439b 895c2408        mov     dword ptr [esp+8],ebx
775d439f e93538ffff      jmp     ntdll!_RtlUserThreadStart (775c7bd9)
;....
;....
ntdll!_RtlUserThreadStart:
775c7bd9 8bff            mov     edi,edi
775c7bdb 55              push    ebp
775c7bdc 8bec            mov     ebp,esp
775c7bde 51              push    ecx
775c7bdf 51              push    ecx
775c7be0 8d45f8          lea     eax,[ebp-8]
775c7be3 50              push    eax
775c7be4 e847000000      call    ntdll!RtlInitializeExceptionChain (775c7c30)
775c7be9 8b550c          mov     edx,dword ptr [ebp+0Ch]
775c7bec 8b4d08          mov     ecx,dword ptr [ebp+8]
775c7bef e801000000      call    ntdll!__RtlUserThreadStart (775c7bf5)
775c7bf4 cc              int     3
ntdll!__RtlUserThreadStart:
775c7bf5 6a30            push    30h
775c7bf7 68b8636677      push    offset ntdll!QueryRegistryValue+0x116c (776663b8)
775c7bfc e88f050200      call    ntdll!_SEH_prolog4 (775e8190)
775c7c01 8bf9            mov     edi,ecx
775c7c03 8365fc00        and     dword ptr [ebp-4],0
775c7c07 8b359cd96777    mov     esi,dword ptr [ntdll!Kernel32ThreadInitThunkFunction (7767d99c)]
775c7c0d 52              push    edx
775c7c0e 85f6            test    esi,esi
775c7c10 0f8415ad0300    je      ntdll!__RtlUserThreadStart+0x3ad36 (7760292b)
775c7c16 8bce            mov     ecx,esi
775c7c18 ff15e0116877    call    dword ptr [ntdll!__guard_check_icall_fptr (776811e0)]
775c7c1e 8bd7            mov     edx,edi
775c7c20 33c9            xor     ecx,ecx
775c7c22 ffd6            call    esi            ;ntdll!Kernel32ThreadInitThunkFunction
775c7c24 e9b8ad0300      jmp     ntdll!__RtlUserThreadStart+0x3adec (776029e1)

;...
;...
KERNEL32!BaseThreadInitThunk:
74e36340 8bff            mov     edi,edi
74e36342 55              push    ebp
74e36343 8bec            mov     ebp,esp
74e36345 56              push    esi
74e36346 8bf2            mov     esi,edx
74e36348 85c9            test    ecx,ecx
74e3634a 7514            jne     KERNEL32!BaseThreadInitThunk+0x20 (74e36360)
74e3634c ff7508          push    dword ptr [ebp+8]
74e3634f 8bce            mov     ecx,esi
74e36351 ff158c1fea74    call    dword ptr [KERNEL32!WerpLaunchAeDebug+0x1e89c (74ea1f8c)]
74e36357 ffd6            call    esi
74e36359 50              push    eax
74e3635a ff152c1bea74    call    dword ptr [KERNEL32!WerpLaunchAeDebug+0x1e43c (74ea1b2c)]
74e36360 ff15381cea74    call    dword ptr [KERNEL32!WerpLaunchAeDebug+0x1e548 (74ea1c38)]
74e36366 5e              pop     esi
74e36367 a810            test    al,10h
74e36369 7409            je      KERNEL32!BaseThreadInitThunk+0x34 (74e36374)
74e3636b e80a000000      call    KERNEL32!BaseThreadInitThunk+0x3a (74e3637a)
74e36370 85c0            test    eax,eax
74e36372 7802            js      KERNEL32!BaseThreadInitThunk+0x36 (74e36376)
74e36374 33c0            xor     eax,eax
74e36376 5d              pop     ebp
74e36377 c20400          ret     4
##############################################复制多了,先留着看看######################################
74e3637a 8bff            mov     edi,edi
74e3637c 55              push    ebp
74e3637d 8bec            mov     ebp,esp
74e3637f 51              push    ecx
74e36380 53              push    ebx
74e36381 56              push    esi
74e36382 c7056008ed74a0ffe374 mov dword ptr [KERNEL32!WakeConditionVariable+0x11326 (74ed0860)],offset KERNEL32!TermsrvSyncUserIniFileExt+0x30 (74e3ffa0)
74e3638c e859000000      call    KERNEL32!BaseThreadInitThunk+0xaa (74e363ea)
74e36391 85c0            test    eax,eax
74e36393 7408            je      KERNEL32!BaseThreadInitThunk+0x5d (74e3639d)
74e36395 33f6            xor     esi,esi
74e36397 8bc6            mov     eax,esi
74e36399 5e              pop     esi
74e3639a 5b              pop     ebx
74e3639b c9              leave
74e3639c c3              ret

不是不是,我上面寫的是簡體漢字,怎麽下面直接變成繁體漢字,我當場變成彎彎人