| View previous topic :: View next topic |
| Author |
Message |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
 Posted: Sat Jan 03, 2009 11:28 am Post subject: How do I get the thread address from threadid |
 |
|
| Is it possible? People say using GetThreadContext, but I clearly doubt it :S
|
|
| Back to top |
|
 |
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Sat Jan 03, 2009 10:11 pm Post subject: |
|
|
| :S Doesn't help much, sorry.
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sun Jan 04, 2009 6:03 am Post subject: |
|
|
| If you mean the address which is currently executed by the thread, then I think you need GetThreadContext. (You might want to use SuspendThread first)
|
|
| Back to top |
|
|
Jonyleeson
Master Cheater
 Reputation: 0
Joined: 03 May 2007
Posts: 484
Location: Hérault, France
|
| Posted: Sun Jan 04, 2009 7:11 pm Post subject: |
|
|
| Code: | DWORD GetThreadEIP(__in HANDLE hThread)
{
CONTEXT Context;
DWORD dwSuspendCount, dwEIP = 0;
dwSuspendCount = SuspendThread(hThread);
if (dwSuspendCount != -1)
{
Context.ContextFlags = CONTEXT_CONTROL;
if (GetThreadContext(hThread, &Context))
dwEIP = Context.Eip;
if (dwSuspendCount == 1)
ResumeThread(hThread);
}
return dwEIP;
}
|
Credits to Irwin.
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25893
Location: The netherlands
|
| Posted: Mon Jan 05, 2009 7:58 am Post subject: |
|
|
Yes, use GetThreadContext to get the current EIP (you might have to suspend the process before you can get access to it, but not sure if that has been fixed in newer windows versions. Win9x required it)
and if you're wondering why some threads don't change their eip, and are at a specific dll location: Most likely the thread is in a idle mode waiting to be woken up by kernelmode
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Mon Jan 05, 2009 10:44 am Post subject: |
|
|
| CoolCat wrote: | | Code: | DWORD GetThreadEIP(__in HANDLE hThread)
{
CONTEXT Context;
DWORD dwSuspendCount, dwEIP = 0;
dwSuspendCount = SuspendThread(hThread);
if (dwSuspendCount != -1)
{
Context.ContextFlags = CONTEXT_CONTROL;
if (GetThreadContext(hThread, &Context))
dwEIP = Context.Eip;
if (dwSuspendCount == 1)
ResumeThread(hThread);
}
return dwEIP;
}
|
Credits to Irwin. |
To Irwin: Shouldn't you call ResumeThread anyways regardless of the previous SuspendCount? Because if the suspendcount is more than 1 and you call ResumeThread, it will decrease the suspendcount but not resume the thread.
| MSDN wrote: | ResumeThread Function
Decrements a thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed. |
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Mon Jan 05, 2009 3:38 pm Post subject: |
|
|
Hmm also can you get the thread handle from just the EIP? 
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Mon Jan 05, 2009 4:35 pm Post subject: |
|
|
... ummm .... no...(unless u wanna dig into the Thread Manager.. or use a hack such as i present here..)
flow would be something like ::
MonitorForPidOrProcessNameWithSuspend
SuspendProcessEnumThreadsAndStartAddress's
KeStackAttachProcess
QueryHandleTableOfAttachedProcessForThreadHandles
DuplicateObjectToHandleByStartAddress(using NtQueryInformationThread(StartAddress to cross check Thread Address)
KeUnstackAttachProcess
... do your work...
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
