Suspend Thread By Name

#include "stdafx.h"

#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

using namespace std;

#pragma comment( lib, "psapi" )


enum THREADINFOCLASS
{
	ThreadQuerySetWin32StartAddress = 9,
};

typedef NTSTATUS(__stdcall * f_NtQueryInformationThread)(HANDLE, THREADINFOCLASS, void*, ULONG_PTR, ULONG_PTR*);

ULONG_PTR GetThreadStartAddress(HANDLE hThread)
{
	auto NtQueryInformationThread = reinterpret_cast<f_NtQueryInformationThread>(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationThread"));
	if (!NtQueryInformationThread)
		return 0;

	ULONG_PTR ulStartAddress = 0;
	NTSTATUS Ret = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ulStartAddress, sizeof(ULONG_PTR), nullptr);

	if (Ret)
		return 0;

	return ulStartAddress;
}


bool TerminateThreadByStartaddress(ULONG_PTR StartAddress, DWORD dwProcId)
{
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (!hSnap)
		return false;

	THREADENTRY32 TE32 = { 0 };
	TE32.dwSize = sizeof(THREADENTRY32);

	BOOL Ret = Thread32First(hSnap, &TE32);
	while (Ret)
	{
		if (TE32.th32OwnerProcessID == dwProcId)
		{
			HANDLE hTempThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE32.th32ThreadID);
			if (!hTempThread)
				continue;

			if (StartAddress == GetThreadStartAddress(hTempThread))
			{
				TerminateThread(hTempThread, 0);
				CloseHandle(hTempThread);
				CloseHandle(hSnap);
				return true;
			}
		}
		Ret = Thread32Next(hSnap, &TE32);
	}

	CloseHandle(hSnap);

	return false;
}


bool SuspendThreadByStartaddress(ULONG_PTR StartAddress, DWORD dwProcId)
{
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (!hSnap)
		return false;

	THREADENTRY32 TE32 = { 0 };
	TE32.dwSize = sizeof(THREADENTRY32);

	BOOL Ret = Thread32First(hSnap, &TE32);
	while (Ret)
	{
		if (TE32.th32OwnerProcessID == dwProcId)
		{
			HANDLE hTempThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE32.th32ThreadID);
			if (!hTempThread)
				continue;

			if (StartAddress == GetThreadStartAddress(hTempThread))
			{
				SuspendThread(hTempThread);
				CloseHandle(hTempThread);
				CloseHandle(hSnap);
				return true;
			}
		}
		Ret = Thread32Next(hSnap, &TE32);
	}

	CloseHandle(hSnap);

	return false;
}

DWORD dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)
{
	DWORD dwModuleBaseAddress = 0;
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
	if (hSnapshot != INVALID_HANDLE_VALUE)
	{
		MODULEENTRY32 ModuleEntry32;
		ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
		if (Module32First(hSnapshot, &ModuleEntry32))
		{
			do
			{
				if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
				{
					dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr;
					break;
				}
			} while (Module32Next(hSnapshot, &ModuleEntry32));
		}
		CloseHandle(hSnapshot);
	}
	return dwModuleBaseAddress;
}

HANDLE GetHandleByName(char* Proc){
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if (Process32First(snapshot, &entry) == TRUE)
	{
		while (Process32Next(snapshot, &entry) == TRUE)
		{
			if (_tcsicmp(entry.szExeFile, Proc) == 0)
			{
				return OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
			}
		}
	}
	return NULL;
}

int main()
{
	char* ProcessName = "jusched.exe";
	char* ModuleName = "jusched.exe";

	HANDLE hProcess = GetHandleByName(ProcessName);


	if (!hProcess) {
		cout << "Cannot found process...\n";
	}
	else {
		cout << "Process Found [OK]\n";
		DWORD PID = GetProcessId(hProcess);
		cout << "PID : " << PID << endl;
		DWORD base = dwGetModuleBaseAddress(PID, ModuleName); //Process ID / Module Name

		char szBuffer[1024];
		sprintf(szBuffer, "Base Address : 0x%02x", base);
		cout << szBuffer << endl;

		TerminateThreadByStartaddress(base + 0x0000, PID);

		cout << "Coded By Nongkie" << endl;
	}

	getchar();
}