GetThreadContext via DuplicateHandle?

Question

I am trying to open process duplicate handles and query information from thread handles using GetThreadContext but i get error ERROR_INVALID_HANDLE or ERROR_GEN_FAILURE. Information about this seems very limited....

processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid)
DuplicateHandle(processHandle,handle.Handle,GetCurrentProcess(),&dupHandle,0,FALSE,DUPLICATE_SAME_ACCESS);


            memset(&ctx,0x00,sizeof(ctx));
            GetThreadContext(dupHandle,&ctx);
            printf("Error:%x", GetLastError());

Anyone ?

Yes DuplicateHandle succeed but CTX is always empty.... and GetThreadContext returns error as i posted above... — VisaToHell, Dec 29 '11 at 01:19

score 3 · Accepted Answer · edited May 23 '17 at 11:51

3

First of all, as suggested above you should be passing thread handle as the argument, and not process handle.

Then, what part of CONTEXT structure you request to be filled by GetThreadContext API? You leave zero there and there should be 1+ flags to indicate data of interest:

CONTEXT ThreadContext = { CONTEXT_CONTROL };
if(GetThreadContext(ThreadHandle, &ThreadContext)) {
    // ...

See also code snippet at https://stackoverflow.com/a/199809/868014

edited May 23 '17 at 11:51

Community

1
1

answered Dec 29 '11 at 07:27

Roman R.

68,205
6
94
158

1

Thanks, it really helped setting the flag, seems like ESP value is returned correctly, but EIP is always is same value for each Thread.... somewhere in the kernel... 0x7c90e514 (I enumerate explorer.exe handles) example of code i use -> forum.sysinternals.com/uploads/26792/handles.zip – VisaToHell Dec 29 '11 at 10:19
Why not if the thread is in some idle state such as e.g. within `WaitForSingleObject`, you might want to walk stack up to see actual location of interest – Roman R. Dec 29 '11 at 11:22
Hmmm dont think that its possible all threads to return same EIP, also some threads dont return EIP.. maybe no privs for them ? I tried SetThreadContext with invalid EIP and it worked, explorer.exe crashed dramatically :) – VisaToHell Dec 29 '11 at 12:07

score 2 · Answer 2 · answered Dec 29 '11 at 01:36

2

GetThreadContext takes a thread handle not a process handle.

answered Dec 29 '11 at 01:36

500 - Internal Server Error

28,327
8
59
66

Yea i am enumerating all handles, i successfully get all handles but GetThreadContext return error.... – VisaToHell Dec 29 '11 at 01:44
How do you get the thread handle? Have you tried explicitly asking for the access you need on the duplicate? – 500 - Internal Server Error Dec 29 '11 at 02:13
I am using this code example to enumerate handles -> http://forum.sysinternals.com/uploads/26792/handles.zip If someone have working code please share ? This one really return handles and their names but i cant do GetThreadContext on the Thread handles..... – VisaToHell Dec 29 '11 at 10:09

GetThreadContext via DuplicateHandle?

2 Answers2