waliedassar

Extract current thread EP.

Jun 23rd, 2012
567
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Code to get the entry point (StartAddress) of the current thread
  4. #include "stdafx.h"
  5. #include "iostream.h"
  6. #include "windows.h"
  7. #include "structs.h"
  8.  
  9. struct CLIENT_ID
  10. {
  11.      unsigned long UniqueProcess;
  12.      unsigned long UniqueThread;
  13. };
  14.  
  15. struct UNICODE_STRING
  16. {
  17.  unsigned short Length;
  18.  unsigned short MaximumLength;
  19.  wchar_t*  Buffer;
  20. };
  21.  
  22. struct VM_COUNTERS
  23. {
  24.     unsigned long PeakVirtualSize;
  25.     unsigned long VirtualSize;
  26.     unsigned long PageFaultCount;
  27.     unsigned long PeakWorkingSetSize;
  28.     unsigned long WorkingSetSize;
  29.     unsigned long QuotaPeakPagedPoolUsage;
  30.     unsigned long QuotaPagedPoolUsage;
  31.     unsigned long QuotaPeakNonPagedPoolUsage;
  32.     unsigned long QuotaNonPagedPoolUsage;
  33.     unsigned long PagefileUsage;
  34.     unsigned long PeakPagefileUsage;
  35. };
  36.  
  37. struct IO_COUNTERS
  38. {
  39.   ULONGLONG ReadOperationCount;
  40.   ULONGLONG WriteOperationCount;
  41.   ULONGLONG OtherOperationCount;
  42.   ULONGLONG ReadTransferCount;
  43.   ULONGLONG WriteTransferCount;
  44.   ULONGLONG OtherTransferCount;
  45. };
  46.  
  47. struct SYSTEM_THREAD_INFORMATION
  48. {
  49.     LARGE_INTEGER KernelTime;
  50.     LARGE_INTEGER UserTime;
  51.     LARGE_INTEGER CreateTime;
  52.     unsigned long WaitTime;
  53.     unsigned long StartAddress;
  54.     CLIENT_ID ClientId;
  55.     long Priority;
  56.     long BasePriority;
  57.     unsigned long ContextSwitchCount;
  58.     long State;
  59.     long WaitReason;
  60. };
  61.  
  62.  
  63. struct SYSTEM_PROCESS_INFORMATION {
  64. unsigned long NextEntryDelta;
  65. unsigned long ThreadCount;
  66. unsigned long Reserved1[6];
  67. LARGE_INTEGER CreateTime;
  68. LARGE_INTEGER UserTime;
  69. LARGE_INTEGER KernelTime;
  70. UNICODE_STRING ProcessName;
  71. long BasePriority;
  72. unsigned long ProcessId;
  73. unsigned long InheritedFromProcessId;
  74. unsigned long HandleCount;
  75. unsigned long Reserved2[2];
  76. VM_COUNTERS VmCounters;
  77. IO_COUNTERS IoCounters;
  78. SYSTEM_THREAD_INFORMATION Threads[5]; //Here, 5 is a random number
  79. };
  80.  
  81. #define SystemProcessesAndThreadsInformation 0x5
  82. #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
  83.  
  84. #define CANT_ALLOCATE 0x333 //mine
  85. #define DONE          0x111 //mine
  86. extern "C"
  87. {
  88.    int __stdcall ZwQuerySystemInformation(int,void*,int,void*);
  89. }
  90.  
  91.  
  92.  
  93. int main(int argc, char* argv[])
  94. {
  95.     unsigned long cbBuffer=0x5000;
  96.     void* Buffer=(void*)LocalAlloc(0,cbBuffer);
  97.     if(Buffer==0) return CANT_ALLOCATE;
  98.     bool x=false;
  99.     bool error=false;
  100.     while(x==false)
  101.     {
  102.         int ret=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,Buffer,cbBuffer,0);
  103.         if(ret<0)
  104.         {
  105.             if(ret==STATUS_INFO_LENGTH_MISMATCH)
  106.             {
  107.                 cbBuffer=cbBuffer+cbBuffer;
  108.                 LocalFree(Buffer);
  109.                 Buffer=(void*)LocalAlloc(0,cbBuffer);
  110.                 if(Buffer==0) return CANT_ALLOCATE;
  111.                 x=false;
  112.             }
  113.             else
  114.             {
  115.                 x=true;
  116.                 error=true;
  117.             }
  118.         }
  119.         else x=true;
  120.     }
  121.     if(error==false)
  122.     {
  123.         SYSTEM_PROCESS_INFORMATION* p=(SYSTEM_PROCESS_INFORMATION*)Buffer;
  124.        
  125.         while(1)
  126.         {
  127.             cout<<(int*)GetCurrentProcessId()<<" "<<(int*)(p->ProcessId)<<endl;
  128.             if(p->ProcessId==GetCurrentProcessId())
  129.             {
  130.                 for(int i=0;i<p->ThreadCount;i++)
  131.                 {
  132.                     if(GetCurrentThreadId()==p->Threads[i].ClientId .UniqueThread)
  133.                     {
  134.                         cout<<"found"<<endl;
  135.                         cout<<(int*)(p->Threads[i].StartAddress)<<endl;
  136.                         LocalFree(Buffer);
  137.                         ExitProcess(DONE);
  138.                     }
  139.                 }
  140.             }
  141.             if(p->NextEntryDelta==0) break;
  142.             p=(SYSTEM_PROCESS_INFORMATION*)((unsigned char*)p+(p->NextEntryDelta));
  143.         }
  144.     }
  145.     LocalFree(Buffer);
  146.     return 0;
  147. }
RAW Paste Data