Attempting NtQuerySystemInformation to get specific process's threads start address
I'm using(and coding for) Windows 7 x86.
Problem: Trying to get specific process's thread start lists (with module name)
The easy way, aka NtQueryInformationThread requires thread handle with ThreadQueryInformation Access.
Attempted OpenThread with Thread_Query_Information, always returned 0xc0000022.
So i looked up ProcessHacker's Source code, Which gets Process's Thread list with NtQuerySystemInformation.
Problem is, Most of threads returned invalid value when i tried iterating while original PH code works fine.
What am i doing wrong here?
SeDebugPrivilege, UAC Admin mode was granted, to get Thread_Query_Information Access. But failed :(
void QueryStartAddr()
{
ULONG ReturnLength;
PVOID buff;
PSYSTEM_PROCESS_INFO spi;
HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
NTQUERYSYSTEMINFORMATION pNTQSI;
pNTQSI = (NTQUERYSYSTEMINFORMATION)
GetProcAddress(ntdll, "NtQuerySystemInformation");
//get buffer size to allocate
pNTQSI(SystemProcessInformation, NULL, NULL, &ReturnLength);
buff = VirtualAlloc(NULL, ReturnLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
printf("szBuffer: %d \n", ReturnLength);
spi = (PSYSTEM_PROCESS_INFO)buff;
pNTQSI(SystemProcessInformation, spi, ReturnLength, NULL);
while (spi->NextEntryOffset)
{
int status = pNTQSI(SystemProcessInformation, spi, ReturnLength, NULL);
printf("PID: %08x, %d \n", spi->UniqueProcessId, spi->UniqueProcessId);
if (spi->UniqueProcessId == (HANDLE)pid)
{
PSYSTEM_THREAD_INFORMATION threads = spi->Threads;
for (int i = 0; i < spi->NumberOfThreads; i++)
{
PSYSTEM_THREAD_INFORMATION thread = &threads[i];
int startaddr = (int)thread->StartAddress;
printf("PID: %d, TID: %d, Startaddr : %08x \n", spi->UniqueProcessId, thread->ClientId.UniqueThread, thread->StartAddress);
}
}
spi = (PSYSTEM_PROCESS_INFO)((LPBYTE)spi + spi->NextEntryOffset);
}
asked on Stack Overflow Jul 27, 2019 by 
아아니으
아아니으0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0