How Find Thread Start Address?

[rakerkiller]

hi guys, please, i need your help for find thread start address, i got script for find tid's, now i need find how get start adress from tid's, thank you.

example of TID Start Address

[KDeluxe]

PHP Code:

Func GetThreadStartAddress($hThread)
    $StartAddress = DllStructCreate("DWORD")
    If @error Then Return SetError(1, "", False)

    $ntdll = DllOpen("ntdll.dll")
    If @error Then Return SetError(2, "", False)

    DllCall($ntdll, "none", "NtQueryInformationThread", "HANDLE", $hThread, "int", 9, "ptr", DllStructGetPtr($StartAddress), "int", 4, "int", 0)
    If @error Then Return SetError(3, "", False)

    Return SetError(0, "", DllStructGetData($StartAddress, 1))
EndFunc 


[rakerkiller]

hi KillerDeluxe ty for help me, I tested the script with

MsgBox(0,'',GetThreadStartAddress(1960)) ;1960 example of TID

and this return me 0, maybe u give me a example how use the code, ty

[rakerkiller]

here is the code for get the thread(TID's) from PID, I need get the StartAddress from the TID's returned, thank you for help!

PHP Code:

#include <WinAPi.au3>
#include <Array.au3>

Global Const $TH32CS_SNAPTHREAD = 0x00000004
Global Const $THREADENTRY32 = "dword dwSize;dword cntUsage;dword th32ThreadId;dword th32OwnerProcessID;long tpBasePri;long tpDeltaPri;dword dwFlags;"

$pid = ProcessExists("game.exe")

$arr=_GetAllProcessThreads($pid)

_ArrayDisplay($arr)

Func _GetAllProcessThreads($iPid)
        $call = DllCall("Kernel32.dll", "ptr", "CreateToolhelp32Snapshot", "dword", $TH32CS_SNAPTHREAD, "dword", 0)
    $handle = $call[0]
    Local $RetArr[1][1]
    ConsoleWrite("Handle: " & $handle & @CRLF)

    $te32=DllStructCreate($THREADENTRY32)
    DllStructSetData($te32,"dwSize",DllStructGetSize($te32))
    $call=DllCall("Kernel32.dll","int","Thread32First","ptr",$handle,"ptr",DllStructGetPtr($te32))
    If DllStructGetData($te32,"th32OwnerProcessID")=$iPid Then _GetAllThreads_ArrHelper($RetArr,$te32)
    Do
        $call=DllCall("Kernel32.dll","int","Thread32Next","ptr",$handle,"ptr",DllStructGetPtr($te32))
        If Not $call[0] Then ExitLoop
        If DllStructGetData($te32,"th32OwnerProcessID")=$iPid Then  _GetAllThreads_ArrHelper($RetArr,$te32)
    Until True And False
    _ArrayDelete($RetArr,0)
    _WinAPI_CloseHandle($handle)
    Return $RetArr
EndFunc


Func _GetAllThreads_ArrHelper(ByRef $Arr,$TE32_Struct)
    $ub=Ubound($Arr)
    ReDim $Arr[$ub+1][1]
    $Arr[$ub][0]=DllStructGetData($TE32_Struct,"th32ThreadId")
EndFunc 


[rakerkiller]

any1 got idea for help me, pls?

[KDeluxe]

Use "OpenThread" to get the required handle.

PHP Code:

;=================================================================================================
; Function:            GetAllThreadsStartAddress($ProcessId)
; Description:        Retrieves a list of threads.
; Return Value(s):    On Success - Returns an array of matching thread identifiers and handles.
;                    On Failure - Returns false
;                    @Error:    0 = No error.
;                            1 = Failed to open 'ntdll.dll'.
;                            2 = Failed to open 'Kernel32.dll'.
;                            3 = Failed to create a snapshot.
;                            4 = Failed to copie the first entry of the thread list.
;                            5 = Failed to open a thread.
;                            6 = Failed to get the start address.
;                            7 = Failed to close the opened thread.
;                            8 = Failed to copie the next entry of the thread list.
;                            7 = Failed to close the created snapshot.
; Author(s):        KillerDeluxe
;=================================================================================================

Func GetAllThreadsStartAddress($ProcessId)
    $StartAddress = DllStructCreate("DWORD")

    $TE32 = DllStructCreate("DWORD;DWORD;DWORD;DWORD;LONG;LONG;DWORD")
    DllStructSetData($TE32, 1, DllStructGetSize($TE32))

    $ntdll = DllOpen("ntdll.dll")
    If @error Then Return SetError(1, "", False)

    $Kernel32 = DllOpen("Kernel32.dll")
    If @error Then Return SetError(2, "", False)

    $hSnapshot = DllCall($Kernel32, "HANDLE", "CreateToolhelp32Snapshot", "int", 4, "DWORD", $ProcessId)
    If @error Then Return SetError(3, "", False)

    DllCall($Kernel32, "int", "Thread32First", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($TE32))
    If @error Then Return SetError(4, "", False)

    $ThreadCount = 1
    Dim $ReturnArray[2][2]

    While True
        If DllStructGetData($TE32, 4) == $ProcessId Then
            $ReturnArray[0][0] = $ThreadCount
            $ReturnArray[0][1] = $ThreadCount

            $hThread = DllCall($Kernel32, "HANDLE", "OpenThread", "int", 0x60, "bool", False, "DWORD", DllStructGetData($TE32, 3))
            If @error Then Return SetError(5, "", False)

            DllCall($ntdll, "none", "NtQueryInformationThread", "HANDLE", $hThread[0], "int", 9, "ptr", DllStructGetPtr($StartAddress), "int", 4, "int", 0)
            If @error Then Return SetError(6, "", False)

            ReDim $ReturnArray[$ThreadCount + 1][2]
            $ReturnArray[$ThreadCount][0] = DllStructGetData($TE32, 3)
            $ReturnArray[$ThreadCount][1] = Hex(DllStructGetData($StartAddress, 1))
            $ThreadCount += 1

            DllCall($Kernel32, "int", "CloseHandle", "HANDLE", $hThread[0])
            If @error Then Return SetError(7, "", False)
        EndIf

        $ret = DllCall($Kernel32, "int", "Thread32Next", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($TE32))
        If @error Then Return SetError(8, "", False)
        If Not $ret[0] Then ExitLoop
    WEnd

    DllCall($Kernel32, "int", "CloseHandle", "HANDLE", $hSnapshot[0])
    If @error Then Return SetError(9, "", False)

    DllClose($ntdll)
    DllClose($Kernel32)
    Return SetError(0, "", $ReturnArray)
EndFunc 


Example:

 Spoiler

PHP Code:

#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_UseX64=n

#include <Array.au3>
$Array = GetAllThreadsStartAddress(ProcessExists("explorer.exe"))
If Not @error Then _ArrayDisplay($Array)

;=================================================================================================
; Function:            GetAllThreadsStartAddress($ProcessId)
; Description:        Retrieves a list of threads.
; Return Value(s):    On Success - Returns an array of matching thread identifiers and handles.
;                    On Failure - Returns false
;                    @Error:    0 = No error.
;                            1 = Failed to open 'ntdll.dll'.
;                            2 = Failed to open 'Kernel32.dll'.
;                            3 = Failed to create a snapshot.
;                            4 = Failed to copie the first entry of the thread list.
;                            5 = Failed to open a thread.
;                            6 = Failed to get the start address.
;                            7 = Failed to close the opened thread.
;                            8 = Failed to copie the next entry of the thread list.
;                            7 = Failed to close the created snapshot.
; Author(s):        KillerDeluxe
;=================================================================================================

Func GetAllThreadsStartAddress($ProcessId)
    $StartAddress = DllStructCreate("DWORD")

    $TE32 = DllStructCreate("DWORD;DWORD;DWORD;DWORD;LONG;LONG;DWORD")
    DllStructSetData($TE32, 1, DllStructGetSize($TE32))

    $ntdll = DllOpen("ntdll.dll")
    If @error Then Return SetError(1, "", False)

    $Kernel32 = DllOpen("Kernel32.dll")
    If @error Then Return SetError(2, "", False)

    $hSnapshot = DllCall($Kernel32, "HANDLE", "CreateToolhelp32Snapshot", "int", 4, "DWORD", $ProcessId)
    If @error Then Return SetError(3, "", False)

    DllCall($Kernel32, "int", "Thread32First", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($TE32))
    If @error Then Return SetError(4, "", False)

    $ThreadCount = 1
    Dim $ReturnArray[2][2]

    While True
        If DllStructGetData($TE32, 4) == $ProcessId Then
            $ReturnArray[0][0] = $ThreadCount
            $ReturnArray[0][1] = $ThreadCount

            $hThread = DllCall($Kernel32, "HANDLE", "OpenThread", "int", 0x60, "bool", False, "DWORD", DllStructGetData($TE32, 3))
            If @error Then Return SetError(5, "", False)

            DllCall($ntdll, "none", "NtQueryInformationThread", "HANDLE", $hThread[0], "int", 9, "ptr", DllStructGetPtr($StartAddress), "int", 4, "int", 0)
            If @error Then Return SetError(6, "", False)

            ReDim $ReturnArray[$ThreadCount + 1][2]
            $ReturnArray[$ThreadCount][0] = DllStructGetData($TE32, 3)
            $ReturnArray[$ThreadCount][1] = Hex(DllStructGetData($StartAddress, 1))
            $ThreadCount += 1

            DllCall($Kernel32, "int", "CloseHandle", "HANDLE", $hThread[0])
            If @error Then Return SetError(7, "", False)
        EndIf

        $ret = DllCall($Kernel32, "int", "Thread32Next", "HANDLE", $hSnapshot[0], "ptr", DllStructGetPtr($TE32))
        If @error Then Return SetError(8, "", False)
        If Not $ret[0] Then ExitLoop
    WEnd

    DllCall($Kernel32, "int", "CloseHandle", "HANDLE", $hSnapshot[0])
    If @error Then Return SetError(9, "", False)

    DllClose($ntdll)
    DllClose($Kernel32)
    Return SetError(0, "", $ReturnArray)
EndFunc 


You have to compile the script as a 32 bit application. Otherwise the returned StartAddress will be 0.

[rakerkiller]

sry i was at one travel, I will test today at night and post the results, thanks very much for attention.

[rakerkiller]

wow cool, works fine, alot thank you bro KillerDeluxe, you are PRO!