SHARE
TWEET

Extract current thread EP.

waliedassar Jun 23rd, 2012 457 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Code to get the entry point (StartAddress) of the current thread
  4. #include "stdafx.h"
  5. #include "iostream.h"
  6. #include "windows.h"
  7. #include "structs.h"
  8.  
  9. struct CLIENT_ID
  10. {
  11.      unsigned long UniqueProcess;
  12.      unsigned long UniqueThread;
  13. };
  14.  
  15. struct UNICODE_STRING
  16. {
  17.  unsigned short Length;
  18.  unsigned short MaximumLength;
  19.  wchar_t*  Buffer;
  20. };
  21.  
  22. struct VM_COUNTERS
  23. {
  24.     unsigned long PeakVirtualSize;
  25.     unsigned long VirtualSize;
  26.     unsigned long PageFaultCount;
  27.     unsigned long PeakWorkingSetSize;
  28.     unsigned long WorkingSetSize;
  29.     unsigned long QuotaPeakPagedPoolUsage;
  30.     unsigned long QuotaPagedPoolUsage;
  31.     unsigned long QuotaPeakNonPagedPoolUsage;
  32.     unsigned long QuotaNonPagedPoolUsage;
  33.     unsigned long PagefileUsage;
  34.     unsigned long PeakPagefileUsage;
  35. };
  36.  
  37. struct IO_COUNTERS
  38. {
  39.   ULONGLONG ReadOperationCount;
  40.   ULONGLONG WriteOperationCount;
  41.   ULONGLONG OtherOperationCount;
  42.   ULONGLONG ReadTransferCount;
  43.   ULONGLONG WriteTransferCount;
  44.   ULONGLONG OtherTransferCount;
  45. };
  46.  
  47. struct SYSTEM_THREAD_INFORMATION
  48. {
  49.     LARGE_INTEGER KernelTime;
  50.     LARGE_INTEGER UserTime;
  51.     LARGE_INTEGER CreateTime;
  52.     unsigned long WaitTime;
  53.     unsigned long StartAddress;
  54.     CLIENT_ID ClientId;
  55.     long Priority;
  56.     long BasePriority;
  57.     unsigned long ContextSwitchCount;
  58.     long State;
  59.     long WaitReason;
  60. };
  61.  
  62.  
  63. struct SYSTEM_PROCESS_INFORMATION {
  64. unsigned long NextEntryDelta;
  65. unsigned long ThreadCount;
  66. unsigned long Reserved1[6];
  67. LARGE_INTEGER CreateTime;
  68. LARGE_INTEGER UserTime;
  69. LARGE_INTEGER KernelTime;
  70. UNICODE_STRING ProcessName;
  71. long BasePriority;
  72. unsigned long ProcessId;
  73. unsigned long InheritedFromProcessId;
  74. unsigned long HandleCount;
  75. unsigned long Reserved2[2];
  76. VM_COUNTERS VmCounters;
  77. IO_COUNTERS IoCounters;
  78. SYSTEM_THREAD_INFORMATION Threads[5]; //Here, 5 is a random number
  79. };
  80.  
  81. #define SystemProcessesAndThreadsInformation 0x5
  82. #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
  83.  
  84. #define CANT_ALLOCATE 0x333 //mine
  85. #define DONE          0x111 //mine
  86. extern "C"
  87. {
  88.    int __stdcall ZwQuerySystemInformation(int,void*,int,void*);
  89. }
  90.  
  91.  
  92.  
  93. int main(int argc, char* argv[])
  94. {
  95.         unsigned long cbBuffer=0x5000;
  96.         void* Buffer=(void*)LocalAlloc(0,cbBuffer);
  97.         if(Buffer==0) return CANT_ALLOCATE;
  98.         bool x=false;
  99.         bool error=false;
  100.         while(x==false)
  101.         {
  102.             int ret=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,Buffer,cbBuffer,0);
  103.                 if(ret<0)
  104.                 {
  105.                         if(ret==STATUS_INFO_LENGTH_MISMATCH)
  106.                         {
  107.                                 cbBuffer=cbBuffer+cbBuffer;
  108.                                 LocalFree(Buffer);
  109.                                 Buffer=(void*)LocalAlloc(0,cbBuffer);
  110.                                 if(Buffer==0) return CANT_ALLOCATE;
  111.                                 x=false;
  112.                         }
  113.                         else
  114.                         {
  115.                                 x=true;
  116.                                 error=true;
  117.                         }
  118.                 }
  119.                 else x=true;
  120.         }
  121.         if(error==false)
  122.         {
  123.                 SYSTEM_PROCESS_INFORMATION* p=(SYSTEM_PROCESS_INFORMATION*)Buffer;
  124.                
  125.                 while(1)
  126.                 {
  127.                         cout<<(int*)GetCurrentProcessId()<<" "<<(int*)(p->ProcessId)<<endl;
  128.                         if(p->ProcessId==GetCurrentProcessId())
  129.                         {
  130.                                 for(int i=0;i<p->ThreadCount;i++)
  131.                                 {
  132.                                         if(GetCurrentThreadId()==p->Threads[i].ClientId .UniqueThread)
  133.                                         {
  134.                                                 cout<<"found"<<endl;
  135.                                                 cout<<(int*)(p->Threads[i].StartAddress)<<endl;
  136.                                                 LocalFree(Buffer);
  137.                                                 ExitProcess(DONE);
  138.                                         }
  139.                                 }
  140.                         }
  141.                         if(p->NextEntryDelta==0) break;
  142.                         p=(SYSTEM_PROCESS_INFORMATION*)((unsigned char*)p+(p->NextEntryDelta));
  143.                 }
  144.         }
  145.         LocalFree(Buffer);
  146.         return 0;
  147. }
RAW Paste Data
Top