Hi @dtm
I’ve tried injecting using QueueUserAPC. It works, but the target process crashes sometimes.
Is there any way I can get the details (like the Stack) of the enumerated threads of a target process? I was hoping that we can target better which threads we can inject if we have some useful info about the thread.
And, what information can I extract from the CONTEXT of a thread?
Thank you
…in connection with the above comment…
In the Process Explorer, we can see the threads of a process, and also the stack of the thread, that shows which DLL functions are associated with which thread.
E.g., thread no. 6068 has its start address at WINMM.dll!timeEndPeriod+0x147
Is it possible to get this data from inside Visual Studio? I believe it is possible because Process Explorer is doing it. But how? How do we get the start address associated with a ThreadId?
The CONTEXT struct can be found here: https://www.nirsoft.net/kernel_struct/vista/CONTEXT.html
typedef struct _CONTEXT
{
ULONG ContextFlags;
ULONG Dr0;
ULONG Dr1;
ULONG Dr2;
ULONG Dr3;
ULONG Dr6;
ULONG Dr7;
FLOATING_SAVE_AREA FloatSave;
ULONG SegGs;
ULONG SegFs;
ULONG SegEs;
ULONG SegDs;
ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Edx;
ULONG Ecx;
ULONG Eax;
ULONG Ebp;
ULONG Eip;
ULONG SegCs;
ULONG EFlags;
ULONG Esp;
ULONG SegSs;
UCHAR ExtendedRegisters[512];
} CONTEXT, *PCONTEXT;
which contains the “context” of the thread. From here, I assume you can find the stack information.
As for the start address, you can try something like this: https://stackoverflow.com/questions/11147846/how-to-retrieve-starting-address-of-a-thread-in-windows. Personally, I’ve never done this before so I cannot confirm anything.
This topic was automatically closed after 30 days. New replies are no longer allowed.