Start Address of Threads

Need More API Functions? Request Language Additions Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Start Address of Threads

Postby Shynd » Thu Nov 22, 2007 10:46 am

I've been trolling the DbgHelp forums for a while and came across their StackWalk64 function, which one can use to not only enumerate the threads in a given process, but also figure out where the threads originated (which module, etc). For instance, a lot of anti-hack routines load a DLL that creates an infinite loop thread within the dll module that does a simple CRC check or a IsDebuggerPresent check, among other things. If you use something like Process Explorer and suspend/kill the thread, the anti-hack goes away. However, to find out which thread to kill/suspend, it's extremely helpful to know the start address. For instance, if you look at the start address and it says like xProtect.dll+0x1800, you know that's a thread started by the xProtect module and, therefore, to suspend it.

Anyway, if it wouldn't be too difficult to add this ability to LSS, it'd be extremely useful; I could write a few anti-anti-hack routines for a couple of games I know of right off the bat. Hell, you might even be able to write this into a plugin/library kind of thing where you can add different module+offset threads to automatically suspend upon opening a process or even opening MHS (loop through open processes, check to see if any anti-hack threads that user has added to their library exist, suspend them, then load MHS main window... tones down your detectability).

Just a thought ;)
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby Shynd » Thu Nov 22, 2007 10:52 am

Oh yeah, and the ability to set breakpoints via LSS. I have no idea if that's even possible or if it'd be hard or easy or what to implement, but I lay awake dreaming (how's that for irony?) of being able to set all 4 hardware breakpoints in my On_Open function, plus enabling the debugger on the open process. My, the fun I would have with that.
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby L. Spiro » Thu Nov 22, 2007 11:31 am

It is all planned for MHS 4.0.0.7.

Except function starting addresses. I show this information already but it seems to always show the same address. I have to look into finding the real start address.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Shynd » Thu Nov 22, 2007 11:45 am

http://book.itzero.com/read/microsoft/0507/Microsoft.Press.Microsoft.Windows.Internals.Fourth.Edition.Dec.2004.internal.Fixed.eBook-DDU_html/0735619174/ch06lev1sec4.html wrote:For threads created by the Windows CreateThread function, Process Explorer displays the function passed to CreateThread, not the actual thread start function. That is because all Windows threads start at a common process or thread startup wrapper function (BaseProcessStart or BaseThreadStart in Kernel32.dll). If Process Explorer showed the actual start address, most threads in processes would appear to have started at the same address, which would not be helpful in trying to understand what code the thread was executing.

I think that's where the StackWalk64 function from DbgHelp.dll comes in. It actually walks through the stack history of the thread to see where it called CreateThread, then lists that as the start address. I have absolutely no idea how to do that or even what the hell I'm talking about, but I hope you do and/or can figure it out ;)
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am

Postby L. Spiro » Thu Nov 22, 2007 12:36 pm

Somehow I didn’t know they had a function to walk the stack this way; I planned to solve this problem by writing my own.

This will save me a lot of trouble.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Shynd » Thu Nov 22, 2007 12:56 pm

Holy shit, I helped? New experience for me =p

Getting an easy-to-use thread enumerator that has module+offset included is going to be wonderful.
User avatar
Shynd
Acker
 
Posts: 68
Joined: Fri Jan 05, 2007 2:11 am


Return to Feature Request

Who is online

Users browsing this forum: No registered users and 0 guests

cron