memory.dll icon indicating copy to clipboard operation
memory.dll copied to clipboard
verified publisher icon erfg12

Suggestion to update startaddress thread

Open osadrac opened this issue 3 years ago • 2 comments

hello, I made a change in the thread system, I was not updating the thread startaddress, maybe it can be officially implemented in the future

public static IntPtr GetThreadStartAddress(int threadId)
        {
            var hThread = OpenThread(ThreadAccess.QUERY_INFORMATION, false, (uint)threadId);
            if (hThread == IntPtr.Zero)
                throw new Win32Exception();
            var buf = Marshal.AllocHGlobal(IntPtr.Size);
            try
            {
                var result = Imps.NtQueryInformationThread(hThread,
                                 ThreadInfoClass.ThreadQuerySetWin32StartAddress,
                                 buf, IntPtr.Size, IntPtr.Zero);
                if (result != 0)
                    throw new Win32Exception(string.Format("NtQueryInformationThread failed; NTSTATUS = {0:X8}", result));
                return Marshal.ReadIntPtr(buf);
            }
            finally
            {
                CloseHandle(hThread);
                Marshal.FreeHGlobal(buf);
            }
        }

[DllImport("ntdll.dll", SetLastError = true)]
        internal static extern int NtQueryInformationThread(
        IntPtr threadHandle,
        ThreadInfoClass threadInformationClass,
        IntPtr threadInformation,
        int threadInformationLength,
        IntPtr returnLengthPtr);
        public enum ThreadInfoClass : int
        {
            ThreadQuerySetWin32StartAddress = 9
        }

to differentiate the threads some use the start address, it would make it a lot easier, I made a function to suspend the thread by startaddress

osadrac avatar Jan 25 '22 10:01 osadrac

Added in https://github.com/erfg12/memory.dll/commit/56b43e3f51d094ccecd1d167927d8e93b1a954e7 If you need to modify the method or add more methods please fork the source, add or modify the code and send a PR please. Thank you!

erfg12 avatar Jan 25 '22 17:01 erfg12

Good night, I saw that you added the function, it was pretty cool, we can also make a modification in GetThread to return the correct address in the debug, maybe even a list for possible bypass pausing threads

public void GetThreads()
        {
            if (mProc.Process == null)
            {
                Debug.WriteLine("mProc.Process is null so GetThreads failed.");
                return;
            }

            foreach (ProcessThread thd in mProc.Process.Threads)
            {
                Debug.WriteLine("ID:" + thd.Id + " State:" + thd.ThreadState + " Address: 0x" + GetThreadStartAddress(thd.Id).ToString(MSize()) + " Priority:" + thd.PriorityLevel);
            }
        }

I will fork the project for future updates that can help the community

https://github.com/osadrac/memory.dll/commit/f8035fb02c23d9c5cd2551946d95e7cca8fa716d

osadrac avatar Jan 27 '22 02:01 osadrac