How to find process thread?

masheen · 16 Aug 2017, 02:24

I need to find process thread adress. How to do it?

This is AutoIt code maybe anybody help to do on Autohotkey?

Func _get_threadstack0()
	Dim $stacks[100]
	Local $answer
	Global Const $thread_all_access = 2032639
	Global Const $tagthread_basic_information = "dword ExitStatus; ptr TebBaseAddress; handle CLIENT_ID[2]; ulong_ptr Reserved[3];"
	Global Const $tagnt_tib = "ptr ExceptionList; ptr StackBase; ptr StackLimit; ptr SubSystemTib; ulong_ptr u1; ptr ArbitraryUserPointer; ptr Self;"
	Local $hprocess, $athreads, $hthread, $ares, $ibytes, $ipid = ProcessExists("process.exe"), $ttbi = DllStructCreate($tagthread_basic_information), $tnt_tib = DllStructCreate($tagnt_tib)
	$hprocess = _winapi_openprocess($process_all_access, False, $ipid)
	If NOT $hprocess Then
		Exit
	EndIf
	$athreads = _winapi_enumprocessthreads($ipid)
	If NOT @error Then
		For $i = 0 To $athreads[0]
			$hthread = _winapi_openthread($thread_all_access, False, $athreads[$i])
			If NOT $hthread Then
				$stacks[$i] = "It is not Thread"
				ContinueLoop
			EndIf
			$ares = DllCall("ntdll.dll", "dword", "NtQueryInformationThread", "handle", $hthread, "dword", 0, "ptr", DllStructGetPtr($ttbi), "ulong", DllStructGetSize($ttbi), "dword*", 0)
			If NOT @error AND NOT $ares[0] Then
				If _winapi_readprocessmemory($hprocess, $ttbi.tebbaseaddress, DllStructGetPtr($tnt_tib), DllStructGetSize($tnt_tib), $ibytes) Then
					$stacks[$i] = $tnt_tib.stackbase
				EndIf
			EndIf
			_winapi_closehandle($hthread)
		Next
		Return $stacks[1]
	EndIf
	_winapi_closehandle($hprocess)
EndFunc

Func _winapi_openthread($iaccess, $binherit, $ithreadid)
	Local $aresult = DllCall("kernel32.dll", "handle", "OpenThread", "dword", $iaccess, "bool", $binherit, "dword", $ithreadid)
	If @error Then Return SetError(@error, @extended, 0)
	Return $aresult[0]
EndFunc

Func _winapi_readprocessmemory($hprocess, $pbaseaddress, $pbuffer, $isize, ByRef $iread)
	Local $aresult = DllCall("kernel32.dll", "bool", "ReadProcessMemory", "handle", $hprocess, "ptr", $pbaseaddress, "struct*", $pbuffer, "ulong_ptr", $isize, "ulong_ptr*", 0)
	If @error Then Return SetError(@error, @extended, False)
	$iread = $aresult[5]
	Return $aresult[0]
EndFunc

Func _winapi_closehandle($hobject)
	Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject)
	If @error Then Return SetError(@error, @extended, False)
	Return $aresult[0]
EndFunc

Func _winapi_enumprocessthreads($ipid = 0)
	If NOT $ipid Then $ipid = @AutoItPID
	Local $hsnapshot = DllCall("kernel32.dll", "handle", "CreateToolhelp32Snapshot", "dword", 4, "dword", 0)
	If @error OR NOT $hsnapshot[0] Then Return SetError(@error + 10, @extended, 0)
	Local Const $tagthreadentry32 = "dword Size;dword Usage;dword ThreadID;dword OwnerProcessID;long BasePri;long DeltaPri;dword Flags"
	Local $tthreadentry32 = DllStructCreate($tagthreadentry32)
	Local $aresult[101] = [0]
	$hsnapshot = $hsnapshot[0]
	DllStructSetData($tthreadentry32, "Size", DllStructGetSize($tthreadentry32))
	Local $aret = DllCall("kernel32.dll", "bool", "Thread32First", "handle", $hsnapshot, "struct*", $tthreadentry32)
	While NOT @error AND $aret[0]
		If DllStructGetData($tthreadentry32, "OwnerProcessID") = $ipid Then
			__inc($aresult)
			$aresult[$aresult[0]] = DllStructGetData($tthreadentry32, "ThreadID")
		EndIf
		$aret = DllCall("kernel32.dll", "bool", "Thread32Next", "handle", $hsnapshot, "struct*", $tthreadentry32)
	WEnd
	DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hsnapshot)
	If NOT $aresult[0] Then Return SetError(1, 0, 0)
	__inc($aresult, -1)
	Return $aresult
EndFunc

Func _winapi_openprocess($iaccess, $binherit, $ipid, $bdebugpriv = False)
	Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $binherit, "dword", $ipid)
	If @error Then Return SetError(@error, @extended, 0)
	If $aresult[0] Then Return $aresult[0]
	If NOT $bdebugpriv Then Return SetError(100, 0, 0)
	Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
	If @error Then Return SetError(@error + 10, @extended, 0)
	_security__setprivilege($htoken, "SeDebugPrivilege", True)
	Local $ierror = @error
	Local $iextended = @extended
	Local $iret = 0
	If NOT @error Then
		$aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $binherit, "dword", $ipid)
		$ierror = @error
		$iextended = @extended
		If $aresult[0] Then $iret = $aresult[0]
		_security__setprivilege($htoken, "SeDebugPrivilege", False)
		If @error Then
			$ierror = @error + 20
			$iextended = @extended
		EndIf
	Else
		$ierror = @error + 30
	EndIf
	_winapi_closehandle($htoken)
	Return SetError($ierror, $iextended, $iret)
EndFunc

16 Aug 2017, 02:59

https://autohotkey.com/boards/viewtopic.php?f=6&t=19323

masheen · 16 Aug 2017, 12:34

jNizM wrote:https://autohotkey.com/boards/viewtopic.php?f=6&t=19323

I think this is not quite i need. Can u give small example how to get address 0 thread?
Need function like this

Code: Select all

Msgbox % getThreadAddress(process.exe, 0)

getThreadAddress(processName, threadNumber){
	...
	...
	...
	return threadAddress
}

17 Aug 2017, 02:48

Without change my function it would looks like this:

Code: Select all

MyPID := xxxx    ; ProcessID
MyTID := xxxx    ; ThreadID


for k, v in GetThreadStartAddr(MyPID)
    if (v.ThreadID = MyTID)
        MsgBox % "ThreadID:`t`t" v.ThreadID "`nStartAddr:`t`t" v.StartAddr

How to find process thread?

How to find process thread?

Re: How to find process thread?

Re: How to find process thread?

Re: How to find process thread?

Who is online