i've setup simple c# program. have imported kernel32.dll
openprocess
, readprocessmemory
, writeprocessmemory
.
i've acquired external process process
class.
how can startaddress
thread #0 specific processthread
?
process process = process.getprocessesbyname("calculator")[0]; if (process == null) { console.writeline("process not found"); return; } foreach (processthread thread in process.threads) { console.writeline(thread.startaddress); }
the result of code above is:
-157479632 -157479632 -157479632 -157479632 0 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632
why there 0's , rest same , negative?
in thread object (struct _ethread
) exist 2 different start address - startaddress
- address thread begin execute after walk throughout dlls via ldrinitializethunk
. exist second address - win32startaddress
. sense of address - when create thread win32 function create[remothe]thread
(or shell) - win32 level set common thread startaddress
ntdll.rtlthreadthreadstart
(name of function depend windows version, on xp - name) , actual lpstartaddress passed create[remothe]thread
parameter. rtlthreadthreadstart
call actual lpstartaddress. lpstartaddress , stored in win32startaddress
.
because threads created via win32 create[remothe]thread
- have same startaddress
(for have startaddress
need direct call low-level api rtlcreateuserthread
. in system process - startaddress
actual thread start address in kernel)
when use code
foreach (processthread thread in process.threads) { console.writeline(thread.startaddress); }
you got startaddress
- , absolute normal in case give same address. in case can got 0 or incorrect value - because in version windows startaddress
saved in union member , can overwritten.
for win32startaddress
must have opened thread handle thread_query_limited_information
or thread_query_information
, call zwqueryinformationthread
threadquerysetwin32startaddress
pvoid pv; zwqueryinformationthread(hthread, threadquerysetwin32startaddress, &pv, sizeof(pv), 0);
and all negative?
because incorrect print thread address - pointer. print signed integer. must print in hex pointer %p
format
Comments
Post a Comment