How Find Thread Start Address?

06/30/2011 22:36 rakerkiller#1
hi guys, please, i need your help for find thread start address, i got script for find tid's, now i need find how get start adress from tid's, thank you.

example of TID Start Address
[Only registered and activated users can see links. Click Here To Register...]
06/30/2011 23:47 KDeluxe#2
PHP Code:
Func GetThreadStartAddress($hThread)
    $StartAddress DllStructCreate("DWORD")
    If @error Then Return SetError(1""False)

    $ntdll DllOpen("ntdll.dll")
    If @error Then Return SetError(2""False)

    DllCall($ntdll"none""NtQueryInformationThread""HANDLE"$hThread"int"9"ptr"DllStructGetPtr($StartAddress), "int"4"int"0)
    If @error Then Return SetError(3""False)

    Return SetError(0""DllStructGetData($StartAddress1))
EndFunc 
07/01/2011 02:13 rakerkiller#3
hi KillerDeluxe ty for help me, I tested the script with

MsgBox(0,'',GetThreadStartAddress(1960)) ;1960 example of TID

and this return me 0, maybe u give me a example how use the code, ty
07/01/2011 02:41 rakerkiller#4
here is the code for get the thread(TID's) from PID, I need get the StartAddress from the TID's returned, thank you for help!

PHP Code:
#include <WinAPi.au3>
#include <Array.au3>

Global Const $TH32CS_SNAPTHREAD 0x00000004
Global Const $THREADENTRY32 "dword dwSize;dword cntUsage;dword th32ThreadId;dword th32OwnerProcessID;long tpBasePri;long tpDeltaPri;dword dwFlags;"

$pid ProcessExists("game.exe")

$arr=_GetAllProcessThreads($pid)

_ArrayDisplay($arr)

Func _GetAllProcessThreads($iPid)
        $call DllCall("Kernel32.dll""ptr""CreateToolhelp32Snapshot""dword"$TH32CS_SNAPTHREAD"dword"0)
    $handle $call[0]
    Local $RetArr[1][1]
    ConsoleWrite("Handle: " $handle & @CRLF)

    $te32=DllStructCreate($THREADENTRY32)
    DllStructSetData($te32,"dwSize",DllStructGetSize($te32))
    $call=DllCall("Kernel32.dll","int","Thread32First","ptr",$handle,"ptr",DllStructGetPtr($te32))
    If DllStructGetData($te32,"th32OwnerProcessID")=$iPid Then _GetAllThreads_ArrHelper($RetArr,$te32)
    Do
        $call=DllCall("Kernel32.dll","int","Thread32Next","ptr",$handle,"ptr",DllStructGetPtr($te32))
        If Not $call[0Then ExitLoop
        If DllStructGetData($te32,"th32OwnerProcessID")=$iPid Then  _GetAllThreads_ArrHelper($RetArr,$te32)
    Until True And False
    _ArrayDelete($RetArr,0)
    _WinAPI_CloseHandle($handle)
    Return $RetArr
EndFunc


Func _GetAllThreads_ArrHelper(ByRef $Arr,$TE32_Struct)
    $ub=Ubound($Arr)
    ReDim $Arr[$ub+1][1]
    $Arr[$ub][0]=DllStructGetData($TE32_Struct,"th32ThreadId")
EndFunc 
07/01/2011 22:55 rakerkiller#5
any1 got idea for help me, pls?
07/02/2011 21:34 KDeluxe#6
Use "OpenThread" to get the required handle.
[Only registered and activated users can see links. Click Here To Register...]



PHP Code:
;=================================================================================================
; Function:            GetAllThreadsStartAddress($ProcessId)
Description:        Retrieves a list of threads.
; Return Value(s):    On Success Returns an array of matching thread identifiers and handles.
;                    On Failure Returns false
;                    @Error:    No error.
;                            Failed to open 'ntdll.dll'.
;                            Failed to open 'Kernel32.dll'.
;                            Failed to create a snapshot.
;                            Failed to copie the first entry of the thread list.
;                            Failed to open a thread.
;                            Failed to get the start address.
;                            Failed to close the opened thread.
;                            Failed to copie the next entry of the thread list.
;                            Failed to close the created snapshot.
Author(s):        KillerDeluxe
;=================================================================================================

Func GetAllThreadsStartAddress($ProcessId)
    $StartAddress DllStructCreate("DWORD")

    $TE32 DllStructCreate("DWORD;DWORD;DWORD;DWORD;LONG;LONG;DWORD")
    DllStructSetData($TE321DllStructGetSize($TE32))

    $ntdll DllOpen("ntdll.dll")
    If @error Then Return SetError(1""False)

    $Kernel32 DllOpen("Kernel32.dll")
    If @error Then Return SetError(2""False)

    $hSnapshot DllCall($Kernel32"HANDLE""CreateToolhelp32Snapshot""int"4"DWORD"$ProcessId)
    If @error Then Return SetError(3""False)

    DllCall($Kernel32"int""Thread32First""HANDLE"$hSnapshot[0], "ptr"DllStructGetPtr($TE32))
    If @error Then Return SetError(4""False)

    $ThreadCount 1
    Dim $ReturnArray[2][2]

    While True
        If DllStructGetData($TE324) == $ProcessId Then
            $ReturnArray[0][0] = $ThreadCount
            $ReturnArray[0][1] = $ThreadCount

            $hThread DllCall($Kernel32"HANDLE""OpenThread""int"0x60"bool"False"DWORD"DllStructGetData($TE323))
            If @error Then Return SetError(5""False)

            DllCall($ntdll"none""NtQueryInformationThread""HANDLE"$hThread[0], "int"9"ptr"DllStructGetPtr($StartAddress), "int"4"int"0)
            If @error Then Return SetError(6""False)

            ReDim $ReturnArray[$ThreadCount 1][2]
            $ReturnArray[$ThreadCount][0] = DllStructGetData($TE323)
            $ReturnArray[$ThreadCount][1] = Hex(DllStructGetData($StartAddress1))
            $ThreadCount += 1

            DllCall($Kernel32"int""CloseHandle""HANDLE"$hThread[0])
            If @error Then Return SetError(7""False)
        EndIf

        $ret DllCall($Kernel32"int""Thread32Next""HANDLE"$hSnapshot[0], "ptr"DllStructGetPtr($TE32))
        If @error Then Return SetError(8""False)
        If Not $ret[0Then ExitLoop
    WEnd

    DllCall($Kernel32"int""CloseHandle""HANDLE"$hSnapshot[0])
    If @error Then Return SetError(9""False)

    DllClose($ntdll)
    DllClose($Kernel32)
    Return SetError(0""$ReturnArray)
EndFunc 
Example:

You have to compile the script as a 32 bit application. Otherwise the returned StartAddress will be 0.
07/05/2011 14:03 rakerkiller#7
sry i was at one travel, I will test today at night and post the results, thanks very much for attention.
07/06/2011 14:11 rakerkiller#8
wow cool, works fine, alot thank you bro KillerDeluxe, you are PRO! :handsdown: