windows - Get Thread's Start Address for External Process in C# -


i've setup simple c# program. have imported kernel32.dll openprocess, readprocessmemory , writeprocessmemory.

i've acquired external process process class.

how can startaddress thread #0 specific processthread?

process process = process.getprocessesbyname("calculator")[0]; if (process == null) {     console.writeline("process not found");     return; }  foreach (processthread thread in process.threads) {     console.writeline(thread.startaddress); }

the result of code above is:

-157479632 -157479632 -157479632 -157479632 0 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632 -157479632

why there 0's , rest same , negative?

in thread object (struct _ethread) exist 2 different start address - startaddress - address thread begin execute after walk throughout dlls via ldrinitializethunk. exist second address - win32startaddress. sense of address - when create thread win32 function create[remothe]thread (or shell) - win32 level set common thread startaddress ntdll.rtlthreadthreadstart (name of function depend windows version, on xp - name) , actual lpstartaddress passed create[remothe]thread parameter. rtlthreadthreadstart call actual lpstartaddress. lpstartaddress , stored in win32startaddress.

because threads created via win32 create[remothe]thread - have same startaddress (for have startaddress need direct call low-level api rtlcreateuserthread. in system process - startaddress actual thread start address in kernel)

when use code

foreach (processthread thread in process.threads) {     console.writeline(thread.startaddress); }

you got startaddress - , absolute normal in case give same address. in case can got 0 or incorrect value - because in version windows startaddress saved in union member , can overwritten.

for win32startaddress must have opened thread handle thread_query_limited_information or thread_query_information , call zwqueryinformationthread threadquerysetwin32startaddress

    pvoid pv;     zwqueryinformationthread(hthread, threadquerysetwin32startaddress, &pv, sizeof(pv), 0);

and all negative?

because incorrect print thread address - pointer. print signed integer. must print in hex pointer %p format


Comments

Post a Comment

Popular posts from this blog

resizing Telegram inline keyboard -

telegram's inline keyboard great feature lots of different use cases. inline buttons added list of items this: inline_keyboard = [[inlinekeyboardbutton(text="button", callback_data="button"), inlinekeyboardbutton(text="reset",callback_data="reset")]] inline_keyboard_markup = inlinekeyboardmarkup(inline_keyboard) update.message.reply_text("hi", reply_markup=inline_keyboard_markup) the above code adds 2 buttons each half width of chat screen. i know the normal keyboard button there resize_keyboard parameter somehow can used. my question is there way resize inline buttons ? example make full width or quarter width. unfortunately, can't now. :( you can suggest @botsupport , might add feature next version.
Read more

javascript - How to bind ViewModel Store to View? -

i'm pretty new ext js , trying embed multiselect inside panel . the viewmodel has stores property can see here: ext.define('test.view.controls.search.searchfiltermodel', { extend: 'ext.app.viewmodel', alias: 'viewmodel.filter', data: { title: '' }, stores: { test: { fields: [ 'id', 'name' ], proxy: { type: 'ajax', url: 'api/test', reader: 'array' }, autoload: true } } }); i bind in view this: viewmodel: { type: 'filter' }, layout: 'fit', border: 1, plain: true, scrollable: 'y', layout: 'fit', bind: { title: '{title}', }, items: { xtype: 'multiselect', scrollable: false, allowblank: true, ddreorder: true, bind: { store: '{test}' }, valuefield: 'id', displayfield: 'name' } ...
Read more

c - Why does alarm() cause fgets() to stop waiting? -

i playing around signals in c. main function asks input using fgets(name, 30, stdin) , , sits there , waits. set alarm alarm(3) , , reassigned sigalrm call function myalarm calls system("say pay attention") . after alarm goes off, fgets() stops waiting input , main fn continues on. happens if change myalarm set variable , nothing it. void myalarm(int sig) { //system("say pay attention"); int x = 0; } int catch_signal(int sig, void (*handler)(int)) { // when signal comes in, "catch" , "handle it" in way want struct sigaction action; // create new sigaction action.sa_handler = handler; // set it's sa_handler attribute function specified in header sigemptyset(&action.sa_mask); // "turn signals in sa_mask off?" "set sa_mask contian no signals, i.e. nothing masked?" action.sa_flags = 0; // not sure, looks aren't using of available flags, whatever may return sigaction(sig, ...
Read more