[Functions] Processes / Threads / Handles / Modules
Posted: 20 Jun 2016, 08:11
GetThreadStartAddr – gets the start address of a thread
(source: GitHub)
example & output:
Ref:
- CreateToolhelp32Snapshot function (msdn)
- Thread32First function (msdn)
- Thread32Next function (msdn)
- OpenThread function (msdn)
- NtQueryInformationThread function (msdn)
- CloseHandle function (msdn)
(source: GitHub)
Code: Select all
GetThreadStartAddr(ProcessID)
{
hModule := DllCall("LoadLibrary", "str", "ntdll.dll", "uptr")
if !(hSnapshot := DllCall("CreateToolhelp32Snapshot", "uint", 0x4, "uint", ProcessID))
return "Error in CreateToolhelp32Snapshot"
NumPut(VarSetCapacity(THREADENTRY32, 28, 0), THREADENTRY32, "uint")
if !(DllCall("Thread32First", "ptr", hSnapshot, "ptr", &THREADENTRY32))
return "Error in Thread32First", DllCall("CloseHandle", "ptr", hSnapshot)
Addr := {}, cnt := 1
while (DllCall("Thread32Next", "ptr", hSnapshot, "ptr", &THREADENTRY32)) {
if (NumGet(THREADENTRY32, 12, "uint") = ProcessID) {
hThread := DllCall("OpenThread", "uint", 0x0040, "int", 0, "uint", NumGet(THREADENTRY32, 8, "uint"), "ptr")
if (DllCall("ntdll\NtQueryInformationThread", "ptr", hThread, "uint", 9, "ptr*", ThreadStartAddr, "uint", A_PtrSize, "uint*", 0) != 0)
return "Error in NtQueryInformationThread", DllCall("CloseHandle", "ptr", hThread) && DllCall("FreeLibrary", "ptr", hModule)
Addr[cnt, "StartAddr"] := Format("{:#016x}", ThreadStartAddr)
Addr[cnt, "ThreadID"] := NumGet(THREADENTRY32, 8, "uint")
DllCall("CloseHandle", "ptr", hThread), cnt++
}
}
return Addr, DllCall("CloseHandle", "ptr", hSnapshot) && DllCall("FreeLibrary", "ptr", hModule)
}
Code: Select all
MsgBox % "StartAddr of first Thread:`t" GetThreadStartAddr(2280)[1].StartAddr
; Tested with PID of notepad++
; 0x000000003c5aa2
; ===============================================================================================================================
for k, v in GetThreadStartAddr(2280)
MsgBox % "ThreadID:`t`t" v.ThreadID "`nStartAddr:`t`t" v.StartAddr
; Tested with PID of notepad++
; ThreadID: 8052 | 1460 | 12116 | 8668 | 5376
; StartAddr: 0x000000003c5aa2 | 0x000000777ac6d0 | 0x0000000032c660 | 0x000000748875f0 | 0x000000777ac6d0
Ref:
- CreateToolhelp32Snapshot function (msdn)
- Thread32First function (msdn)
- Thread32Next function (msdn)
- OpenThread function (msdn)
- NtQueryInformationThread function (msdn)
- CloseHandle function (msdn)