Get StartAddress with the name of the Module of a Thread from an external program

Question

Get StartAddress with the name of the Module of a Thread from an external program

Navigation

#1 by (0 votes)

1

I'm trying to differentiate the threads of a particular program. with the "ProcessExplorer" software I can easily get through the Start Address, since the method name appears:

ItriedtogettheStartAddresswiththiscodeinC#:

Process[]process=Process.GetProcessesByName("notepad");
foreach (ProcessThread CurrentThread in process[0].Threads)
{
     Console.WriteLine(CurrentThread.StartAddress);
}

and this was the result:

TheStartAddresscameupwiththesamevalue,soItriedtousethiscode:

IntPtrpOpenThread=OpenThread(ThreadAccess.SUSPEND_RESUME,false,(uint)CurrentThread.Id);if(pOpenThread!=IntPtr.Zero){varbuf=Marshal.AllocHGlobal(IntPtr.Size);intresult=-1;try{result=NtQueryInformationThread(pOpenThread,ThreadInfoClass.ThreadQuerySetWin32StartAddress,buf,IntPtr.Size,IntPtr.Zero);}finally{IntPtrCurrentThread=Marshal.ReadIntPtr(buf);Console.WriteLine("TID: " + CurrentThread.Id + " StartAddress " + FinalResult);
                          }
                     }

and testing was the result:

It solved my problem for a while but after the StartAddress changed ... I need to get the module name to identify each thread.

c# thread

asked by anonymous 03.11.2017 / 04:08

1 answer

Hide div no materialize css datatables does not show the data with a query using JOIN. What to do?

score 0 · Answer 1

I do not know if it is exactly the information that appears in ProcessExplorer, but the process has the modules, the thread does not.

To get the module names as you ask in the question, you can do this:

ProcessModuleCollection currentThreads = Process.GetProcessesByName("chrome")[0].Modules;

foreach (ProcessModule modulo in currentThreads)
{
    Console.WriteLine(modulo.ModuleName);
}

Result: