windows - Get Thread's Start Address for External Process in C# -


i've setup simple c# program. have imported kernel32.dll openprocess, readprocessmemory , writeprocessmemory.

i've acquired external process process class.

how can startaddress thread #0 specific processthread?

process process = process.getprocessesbyname("calculator")[0]; if (process == null) {     console.writeline("process not found");     return; }  foreach (processthread thread in process.threads) {     console.writeline(thread.startaddress); } 

the result of code above is:

-157479632 -157479632 -157479632 -157479632 0 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632 

why there 0's , rest same , negative?

in thread object (struct _ethread) exist 2 different start address - startaddress - address thread begin execute after walk throughout dlls via ldrinitializethunk. exist second address - win32startaddress. sense of address - when create thread win32 function create[remothe]thread (or shell) - win32 level set common thread startaddress ntdll.rtlthreadthreadstart (name of function depend windows version, on xp - name) , actual lpstartaddress passed create[remothe]thread parameter. rtlthreadthreadstart call actual lpstartaddress. lpstartaddress , stored in win32startaddress.

because threads created via win32 create[remothe]thread - have same startaddress (for have startaddress need direct call low-level api rtlcreateuserthread. in system process - startaddress actual thread start address in kernel)

when use code

foreach (processthread thread in process.threads) {     console.writeline(thread.startaddress); } 

you got startaddress - , absolute normal in case give same address. in case can got 0 or incorrect value - because in version windows startaddress saved in union member , can overwritten.

for win32startaddress must have opened thread handle thread_query_limited_information or thread_query_information , call zwqueryinformationthread threadquerysetwin32startaddress

    pvoid pv;     zwqueryinformationthread(hthread, threadquerysetwin32startaddress, &pv, sizeof(pv), 0); 

and all negative?

because incorrect print thread address - pointer. print signed integer. must print in hex pointer %p format


Comments