process threadID suspend

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Forum rules
Post Reply
sveetass
Posts: 9
Joined: 17 Jun 2016, 08:30

process threadID suspend

25 Jun 2021, 06:55

:sick: Hi , need help with this script ,please i don't have enough experience for myself
there example: using script from github , to suspend Thread using ThreadID
script post all threadID's , how to sort and get only ntdll.dll library TID ? (id and starting adrress in dyn and change every restart.)
image.png
image.png (16.15 KiB) Viewed 513 times

Code: Select all

Process Exist, notepad.exe
PID := ErrorLevel
   ;MsgBox % "ThreadID:" v.ThreadID "`nStartAddr:" v.StartAddr

GetThreadStartAddr(ProcessID)
{
    hModule := DllCall("LoadLibrary", "str", "ntdll.dll", "uptr")

    if !(hSnapshot := DllCall("CreateToolhelp32Snapshot", "uint", 0x4, "uint", ProcessID))
        return "Error in CreateToolhelp32Snapshot"

    NumPut(VarSetCapacity(THREADENTRY32, 28, 0), THREADENTRY32, "uint")
    if !(DllCall("Thread32First", "ptr", hSnapshot, "ptr", &THREADENTRY32))
        return "Error in Thread32First", DllCall("CloseHandle", "ptr", hSnapshot)

    Addr := {}, cnt := 1
    while (DllCall("Thread32Next", "ptr", hSnapshot, "ptr", &THREADENTRY32)) {
        if (NumGet(THREADENTRY32, 12, "uint") = ProcessID) {
            hThread := DllCall("OpenThread", "uint", 0x0040, "int", 0, "uint", NumGet(THREADENTRY32, 8, "uint"), "ptr")
            if (DllCall("ntdll\NtQueryInformationThread", "ptr", hThread, "uint", 9, "ptr*", ThreadStartAddr, "uint", A_PtrSize, "uint*", 0) != 0)
                return "Error in NtQueryInformationThread", DllCall("CloseHandle", "ptr", hThread) && DllCall("FreeLibrary", "ptr", hModule)
            Addr[cnt, "StartAddr"] := Format("{:#016x}", ThreadStartAddr)
            Addr[cnt, "ThreadID"]  := NumGet(THREADENTRY32, 8, "uint")
            DllCall("CloseHandle", "ptr", hThread), cnt++
        }
    }

    return Addr, DllCall("CloseHandle", "ptr", hSnapshot) && DllCall("FreeLibrary", "ptr", hModule)
	
}

for k, v in GetThreadStartAddr(PID)                                             
    ;MsgBox % "ThreadID:" v.ThreadID "`nStartAddr:" v.StartAddr

SuspendThread(v.ThreadID)                                             

SuspendThread(ThreadID)
{
    if !(hThread := DllCall("OpenThread", "uint", 0x0002, "int", 0, "uint", ThreadID, "ptr"))
        return "Error in OpenThread"
    if (DllCall("SuspendThread", "ptr", hThread) = -1)
        return "Error in SuspendThread", DllCall("CloseHandle", "ptr", hThread)
    return true, DllCall("CloseHandle", "ptr", hThread)
}
Top
sveetass
Posts: 9
Joined: 17 Jun 2016, 08:30

Re: process threadID suspend

26 Jun 2021, 03:27

anyone )) ?help
Top
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: process threadID suspend

26 Jun 2021, 03:53

https://stackoverflow.com/questions/41363244/how-to-match-start-address-of-a-thread-to-a-module-name
  1. Call EnumProcessModules to enumerate the modules loaded into the process.
  2. For each module call GetModuleInformation to obtain the load address and linear address size of the module. If your (thread) address lies in that range of addresses(ie module base address + module size) then this is the target module.
use GetModuleBaseName() while enumerating to get the string "ntdll.dll"
Top
Post Reply

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: digidings, Ineedhelplz, mikeyww and 202 guests