Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "stdafx.h"
- #include <windows.h>
- #include <stdio.h>
- #include <iostream>
- #include <string>
- #include <TlHelp32.h>
- #include <psapi.h>
- using namespace std;
- #pragma comment( lib, "psapi" )
- enum THREADINFOCLASS
- {
- ThreadQuerySetWin32StartAddress = 9,
- };
- typedef NTSTATUS(__stdcall * f_NtQueryInformationThread)(HANDLE, THREADINFOCLASS, void*, ULONG_PTR, ULONG_PTR*);
- ULONG_PTR GetThreadStartAddress(HANDLE hThread)
- {
- auto NtQueryInformationThread = reinterpret_cast<f_NtQueryInformationThread>(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationThread"));
- if (!NtQueryInformationThread)
- return 0;
- ULONG_PTR ulStartAddress = 0;
- NTSTATUS Ret = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ulStartAddress, sizeof(ULONG_PTR), nullptr);
- if (Ret)
- return 0;
- return ulStartAddress;
- }
- bool TerminateThreadByStartaddress(ULONG_PTR StartAddress, DWORD dwProcId)
- {
- HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
- if (!hSnap)
- return false;
- THREADENTRY32 TE32 = { 0 };
- TE32.dwSize = sizeof(THREADENTRY32);
- BOOL Ret = Thread32First(hSnap, &TE32);
- while (Ret)
- {
- if (TE32.th32OwnerProcessID == dwProcId)
- {
- HANDLE hTempThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE32.th32ThreadID);
- if (!hTempThread)
- continue;
- if (StartAddress == GetThreadStartAddress(hTempThread))
- {
- TerminateThread(hTempThread, 0);
- CloseHandle(hTempThread);
- CloseHandle(hSnap);
- return true;
- }
- }
- Ret = Thread32Next(hSnap, &TE32);
- }
- CloseHandle(hSnap);
- return false;
- }
- bool SuspendThreadByStartaddress(ULONG_PTR StartAddress, DWORD dwProcId)
- {
- HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
- if (!hSnap)
- return false;
- THREADENTRY32 TE32 = { 0 };
- TE32.dwSize = sizeof(THREADENTRY32);
- BOOL Ret = Thread32First(hSnap, &TE32);
- while (Ret)
- {
- if (TE32.th32OwnerProcessID == dwProcId)
- {
- HANDLE hTempThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE32.th32ThreadID);
- if (!hTempThread)
- continue;
- if (StartAddress == GetThreadStartAddress(hTempThread))
- {
- SuspendThread(hTempThread);
- CloseHandle(hTempThread);
- CloseHandle(hSnap);
- return true;
- }
- }
- Ret = Thread32Next(hSnap, &TE32);
- }
- CloseHandle(hSnap);
- return false;
- }
- DWORD dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)
- {
- DWORD dwModuleBaseAddress = 0;
- HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
- if (hSnapshot != INVALID_HANDLE_VALUE)
- {
- MODULEENTRY32 ModuleEntry32;
- ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
- if (Module32First(hSnapshot, &ModuleEntry32))
- {
- do
- {
- if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
- {
- dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr;
- break;
- }
- } while (Module32Next(hSnapshot, &ModuleEntry32));
- }
- CloseHandle(hSnapshot);
- }
- return dwModuleBaseAddress;
- }
- HANDLE GetHandleByName(char* Proc){
- PROCESSENTRY32 entry;
- entry.dwSize = sizeof(PROCESSENTRY32);
- HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
- if (Process32First(snapshot, &entry) == TRUE)
- {
- while (Process32Next(snapshot, &entry) == TRUE)
- {
- if (_tcsicmp(entry.szExeFile, Proc) == 0)
- {
- return OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
- }
- }
- }
- return NULL;
- }
- int main()
- {
- char* ProcessName = "jusched.exe";
- char* ModuleName = "jusched.exe";
- HANDLE hProcess = GetHandleByName(ProcessName);
- if (!hProcess) {
- cout << "Cannot found process...\n";
- }
- else {
- cout << "Process Found [OK]\n";
- DWORD PID = GetProcessId(hProcess);
- cout << "PID : " << PID << endl;
- DWORD base = dwGetModuleBaseAddress(PID, ModuleName); //Process ID / Module Name
- char szBuffer[1024];
- sprintf(szBuffer, "Base Address : 0x%02x", base);
- cout << szBuffer << endl;
- TerminateThreadByStartaddress(base + 0x0000, PID);
- cout << "Coded By Nongkie" << endl;
- }
- getchar();
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement