3

I want to get the thread's start address with NtQueryInformationThread, but I need to add its library. How can I do that?

Mehrdad
  • 708
  • 1
  • 17
  • 38

2 Answers2

5

I prefer adding ntdll.lib (you can find it in Windows DDK/WDK) to a project. In that case you don't need GetProcAddress stuff.

Sergey Podobry
  • 7,101
  • 1
  • 41
  • 51
4

I used NtQueryInformationThread without any need of loading ntdll (which in my opinion is loaded automatically). I had only to prepare a special header file with such content: http://pastebin.com/ieEqR0eL and include it in my project. After that I was able to do something like this:

NTSTATUS status;
THREAD_BASIC_INFORMATION basicInfo;
typedef NTSTATUS ( WINAPI *NQIT )( HANDLE, LONG, PVOID, ULONG, PULONG );

/* Open thread */
HANDLE thread = OpenThread(THREAD_ALL_ACCESS, false, threadId);
/* Get the address of NtQueryInformationThread function. */ 
NQIT NtQueryInformationThread = ( NQIT )GetProcAddress( GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread" );
/* Get basic thread information */
status = NtQueryInformationThread(thread, 0, &basicInfo, sizeof(basicInfo), NULL);
CloseHandle(thread);

/* Get address of the Thread Environment Block, stack start address and last stack address */
tebAddress = (DWORD)basicInfo.TebBaseAddress;
DWORD pebAddress = *((DWORD*)(tebAddress+0x30));
/* For example to get stack base address */
stackBase = *((DWORD*)(tebAddress+4));
stackLimit = *((DWORD*)(tebAddress+8));
Adam Sznajder
  • 9,108
  • 4
  • 39
  • 60
  • What header files should I include? THREAD_BASIC_INFORMATION doesn't exist in Tlhelp32.h or Windows.h. – Mehrdad Jun 20 '12 at 14:36
  • As I wrote: you have to include header file which content I listed at pastebin. – Adam Sznajder Jun 20 '12 at 14:42
  • Try `ntapi.h` (part of the DDK) or just define yourself. – Damon Jun 20 '12 at 14:43
  • @Yob So how can I retrive starting address from status? – Mehrdad Jun 20 '12 at 15:15
  • By using the `ThreadQuerySetWin32StartAddress` information class instead of `ThreadBasicInformation`. You may want to read up on this over at [ntinternals.net](http://undocumented.ntinternals.net). – Damon Jun 20 '12 at 15:25
  • 1
    As the second parameter of `NtQueryInformationThread` function you have to give `ThreadQuerySetWin32StartAddress`. It's description is here: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/THREAD_INFORMATION_CLASS.html#ThreadQuerySetWin32StartAddress. Sample use: http://forum.sysinternals.com/how-to-get-the-start-address-and-modu_topic5127_post18072.html#18072 – Adam Sznajder Jun 21 '12 at 08:34