Thread Kill Example

07/10/2020 23:57 doqukanlas#1
Hey! I'm new about these hacks and bypass, can anybody give me a example for thread killing?
07/11/2020 09:14 harris1g#2
process hacker a7a
07/11/2020 14:14 RingleRangleRob#3
Quote:
Originally Posted by doqukanlas View Post
Hey! I'm new about these hacks and bypass, can anybody give me a example for thread killing?
[Only registered and activated users can see links. Click Here To Register...]

i wrote it 2017.. maybe it will help you

ThreadMng.h
Code:
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <string>

enum THREADINFOCLASS
{
	ThreadQuerySetWin32StartAddress = 9,
};

typedef NTSTATUS(__stdcall * f_NtQueryInformationThread)(HANDLE, THREADINFOCLASS, void*, ULONG_PTR, ULONG_PTR*);

class ThreadMng
{
public:
	ThreadMng();
	~ThreadMng();

	void Suspend();
	void Resume();

	HANDLE mHandle;
	bool SearchForThreadByStartAddress(DWORD dwStartAddress, DWORD ModuleBaseOffset, DWORD dwOwnerPID = 0);

	ULONG_PTR GetThreadStartAddress(HANDLE hThread);
private:

};

ThreadMng.cpp
Code:
#include "ThreadMng.h"



ThreadMng::ThreadMng()
{
}

void ThreadMng::Suspend()
{
	SuspendThread(mHandle);
}

void ThreadMng::Resume()
{
	ResumeThread(mHandle);
}

bool ThreadMng::SearchForThreadByStartAddress(DWORD dwStartAddress, DWORD ModuleBaseOffset, DWORD dwOwnerPID)
{
	HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
	THREADENTRY32 te32;
	HANDLE hTempThread;

	hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (hThreadSnap == INVALID_HANDLE_VALUE)
		return false;

	te32.dwSize = sizeof(THREADENTRY32);

	if (!Thread32First(hThreadSnap, &te32))
	{
		CloseHandle(hThreadSnap);          // clean the snapshot object
		return false;
	}

	do
	{
		if (te32.th32OwnerProcessID == dwOwnerPID)
		{
			HANDLE tHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
			if ((GetThreadStartAddress(tHandle) - ModuleBaseOffset) == dwStartAddress)
			{
				mHandle = tHandle;
				break;
			}
			CloseHandle(tHandle);
		}
	} while (Thread32Next(hThreadSnap, &te32));

	CloseHandle(hThreadSnap);
	return true;
}

ULONG_PTR ThreadMng::GetThreadStartAddress(HANDLE hThread)
{
	auto NtQueryInformationThread = reinterpret_cast<f_NtQueryInformationThread>(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationThread"));
	if (!NtQueryInformationThread)
		return 0;

	ULONG_PTR ulStartAddress = 0;
	NTSTATUS Ret = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ulStartAddress, sizeof(ULONG_PTR), nullptr);

	if (Ret)
		return 0;

	return ulStartAddress;
}

ThreadMng::~ThreadMng()
{
}
07/12/2020 22:55 doqukanlas#4
Quote:
Originally Posted by harris1g View Post
process hacker a7a
i know that ^^ but i need to automate that

Quote:
Originally Posted by RingleRangleRob View Post
[Only registered and activated users can see links. Click Here To Register...]

i wrote it 2017.. maybe it will help you

ThreadMng.h
Code:
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <string>

enum THREADINFOCLASS
{
	ThreadQuerySetWin32StartAddress = 9,
};

typedef NTSTATUS(__stdcall * f_NtQueryInformationThread)(HANDLE, THREADINFOCLASS, void*, ULONG_PTR, ULONG_PTR*);

class ThreadMng
{
public:
	ThreadMng();
	~ThreadMng();

	void Suspend();
	void Resume();

	HANDLE mHandle;
	bool SearchForThreadByStartAddress(DWORD dwStartAddress, DWORD ModuleBaseOffset, DWORD dwOwnerPID = 0);

	ULONG_PTR GetThreadStartAddress(HANDLE hThread);
private:

};

ThreadMng.cpp
Code:
#include "ThreadMng.h"



ThreadMng::ThreadMng()
{
}

void ThreadMng::Suspend()
{
	SuspendThread(mHandle);
}

void ThreadMng::Resume()
{
	ResumeThread(mHandle);
}

bool ThreadMng::SearchForThreadByStartAddress(DWORD dwStartAddress, DWORD ModuleBaseOffset, DWORD dwOwnerPID)
{
	HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
	THREADENTRY32 te32;
	HANDLE hTempThread;

	hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (hThreadSnap == INVALID_HANDLE_VALUE)
		return false;

	te32.dwSize = sizeof(THREADENTRY32);

	if (!Thread32First(hThreadSnap, &te32))
	{
		CloseHandle(hThreadSnap);          // clean the snapshot object
		return false;
	}

	do
	{
		if (te32.th32OwnerProcessID == dwOwnerPID)
		{
			HANDLE tHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
			if ((GetThreadStartAddress(tHandle) - ModuleBaseOffset) == dwStartAddress)
			{
				mHandle = tHandle;
				break;
			}
			CloseHandle(tHandle);
		}
	} while (Thread32Next(hThreadSnap, &te32));

	CloseHandle(hThreadSnap);
	return true;
}

ULONG_PTR ThreadMng::GetThreadStartAddress(HANDLE hThread)
{
	auto NtQueryInformationThread = reinterpret_cast<f_NtQueryInformationThread>(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationThread"));
	if (!NtQueryInformationThread)
		return 0;

	ULONG_PTR ulStartAddress = 0;
	NTSTATUS Ret = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ulStartAddress, sizeof(ULONG_PTR), nullptr);

	if (Ret)
		return 0;

	return ulStartAddress;
}

ThreadMng::~ThreadMng()
{
}
thank you! it's absolutely will help
07/12/2020 23:45 bmeale9#5
Wrong section btw ^^
07/13/2020 18:22 K1ramoX#6
[Only registered and activated users can see links. Click Here To Register...]

closed, wrong section