Hello.
I'd like to find out the module a thread (remote/external process) originated from.
See Sysinternals' Process Explorer:
I don't need the start address, just the original module name.
I want to realize it without using drivers (unlike Process Explorer, afaik).
Many Thanks!
I'd like to find out the module a thread (remote/external process) originated from.
See Sysinternals' Process Explorer:
I don't need the start address, just the original module name.
I want to realize it without using drivers (unlike Process Explorer, afaik).
Many Thanks!
There's two possible approaches, and endless variations apon them.
The first approach is to enumerate all running processes, and for each running process, enumerate all its threads, until you find the thread you are looking for.
The second approach is a bit more hacky, it involves reading the thread's TIB, which is easy enough when its in the same process, but requires a certain amount of skullduggery to achieve when the thread belongs to a remote process.
Anyway, the Thread Information Block is marked with the PID of the process which created it.
Basically, you can get what you want via the FS register.
Look at this:
FS:[020h] = Process ID
FS:[024h] = Current thread ID
Unfortunately, this is only true within the context of a given thread.
This means you need to break into the thread, inject some code into it, execute it, store the result, then resume the thread execution from the point you arrested it.
Hmmz, this all sound a bit like hard work?
Maybe the "enumeration" method is easier, but its a lot slower.
You choose your own poison :)
The first approach is to enumerate all running processes, and for each running process, enumerate all its threads, until you find the thread you are looking for.
The second approach is a bit more hacky, it involves reading the thread's TIB, which is easy enough when its in the same process, but requires a certain amount of skullduggery to achieve when the thread belongs to a remote process.
Anyway, the Thread Information Block is marked with the PID of the process which created it.
Basically, you can get what you want via the FS register.
Look at this:
FS:[020h] = Process ID
FS:[024h] = Current thread ID
Unfortunately, this is only true within the context of a given thread.
This means you need to break into the thread, inject some code into it, execute it, store the result, then resume the thread execution from the point you arrested it.
Hmmz, this all sound a bit like hard work?
Maybe the "enumeration" method is easier, but its a lot slower.
You choose your own poison :)
Thanks for your reply, Homer!
Say, I'm walking through all threads using Thread32Next - how do I know I just found the right one (by module name)?
I'm kinda lost there...
The first approach is to enumerate all running processes, and for each running process, enumerate all its threads, until you find the thread you are looking for.
Enumerating threads is not my problem, but identifying the right one is.Say, I'm walking through all threads using Thread32Next - how do I know I just found the right one (by module name)?
I'm kinda lost there...
I wouldn't be surprised if there's some undocumented way to do it... you could try mailing the sysinternals guys and ask how they're doing it :)
You can use EnumProcesses from the psapi.dll to enum all the processes, then for each process you can use GetModuleBaseName to find the module name. Then you can use CreateToolhelp32Snapshot and use thread32first and thread32next to walk the threads, compare each th32OwnerProcessID from the THREADENTRY32 with what you got from EnumProcesses.
It's backwards, but I think it should work. And there's probably an easier way, most definately if you're fine with doing it undocumented (probably using ZwQuerySystemInformation or some such thing)
Fake
It's backwards, but I think it should work. And there's probably an easier way, most definately if you're fine with doing it undocumented (probably using ZwQuerySystemInformation or some such thing)
Fake