想写工具软件?TDB98应该有用. The Task Database (TDB) and the Task Database Extension (TDBX) for Win98 are below. The other structures stay the same as Win95. typedef struct TDB98 { WORD Type; // 00 K32 object type WORD cReference; // 02 reference count DWORD pSomeEvent; // 04 K32 event object used when someone waits on the thread object TIB98 tib; // 08 thread information block PDB* pProcess2; // 40 another pointer to associated PDB DWORD una; //Thank Albert Lee for noting me there are 2 fields lost. DWORD unb; DWORD Flags; // 44 flags DWORD TerminationStatus; // 48 exit code WORD TIBSelector; // 4C selector used in FS to point to TIB WORD EmulatorSelector; // 4E memory block for saving x87 state DWORD cHandles; // 50 TCB* Ring0Thread; // 54 R0 thread control block TDBX98* pTDBX; // 58 R0 thread database extension DWORD un1[109]; // 5C DWORD APISuspendCount; // 210 Count of SuspendThread's minus ResumeThread's etc. } TDB98, *PTDB98; WIN98SE SPECIFIC:KERNEL32内部变量:当前线程THREAD DATABASE指针+8处为TDBX98. typedef struct TDBX98 { DWORD un0; // 00 TDB98* ptdb; // 04 R3 thread database PDB* ppdb; // 08 R3 process database DWORD ContextHandle; // 0C R0 memory context TCB* Ring0Thread; // 10 R0 thread control block WAITNODE* WaitNodeList; // 14 Anchor of things we're waiting on DWORD WaitFlags; // 18 Blocking flags DWORD un1; // 1C DWORD TimeOutHandle; // 20 DWORD WakeParam; // 24 DWORD BlockHandle; // 28 R0 semaphore on which thread will wait inside VWIN32 DWORD BlockState; // 2C DWORD SuspendCount; // 30 DWORD SuspendHandle; // 34 DWORD MustCompleteCount; // 38 count of EnterMustComplete's minus LeaveMustComplete's DWORD WaitExFlags; // 3C flags DWORD SyncWaitCount; // 40 DWORD QueuedSyncFuncs; // 44 DWORD UserAPCList; // 48 DWORD KernAPCList; // 4C DWORD pPMPSPSelector; // 50 DWORD BlockedOnID; // 54 } TDBX98, *PTDBX98; // 58 // Win98 "obsfucator" constant DWORD dw; DWORD dwObsfucate; _asm { mov eax, fs:[18h] sub eax, 8 mov dw, eax } dwObsfucate = threadId ^ dw; 陆麟.