void XDbgProxy::sendThreadInfo() { MyTrace("%s()", __FUNCTION__); DebugEventPacket event; memset(&event, 0, sizeof(event)); DEBUG_EVENT& msg = event.event; DebugAckPacket ack; msg.dwDebugEventCode = CREATE_THREAD_DEBUG_EVENT; msg.dwProcessId = XDbgGetCurrentProcessId(); DWORD threadId = getFirstThread(); while (threadId) { msg.dwThreadId = threadId; msg.u.CreateThread.hThread = NULL; msg.u.CreateThread.lpStartAddress = (LPTHREAD_START_ROUTINE) GetThreadStartAddress(threadId); msg.u.CreateThread.lpThreadLocalBase = GetThreadTeb(threadId); sendDbgEvent(event, ack, false); threadId = getNextThread(); } }
void XDbgProxy::sendProcessInfo(DWORD firstThread) { MyTrace("%s()", __FUNCTION__); DebugEventPacket event; memset(&event, 0, sizeof(event)); DEBUG_EVENT& msg = event.event; DebugAckPacket ack; msg.dwProcessId = XDbgGetCurrentProcessId(); msg.dwThreadId = firstThread; char modName[MAX_PATH + 1] = {0}; memset(&msg.u.CreateProcessInfo, 0, sizeof(msg.u.CreateProcessInfo)); msg.dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT; msg.u.CreateProcessInfo.dwDebugInfoFileOffset = 0; msg.u.CreateProcessInfo.fUnicode = 0; msg.u.CreateProcessInfo.hFile = NULL; msg.u.CreateProcessInfo.hProcess = NULL; msg.u.CreateProcessInfo.hThread = NULL; msg.u.CreateProcessInfo.lpBaseOfImage = (PVOID )GetModuleHandle(NULL); GetModuleFileName(GetModuleHandle(NULL), modName, MAX_PATH); msg.u.CreateProcessInfo.lpImageName = modName; msg.u.CreateProcessInfo.lpStartAddress = (LPTHREAD_START_ROUTINE)GetThreadStartAddress(firstThread); MyTrace("%s(): mod: %s, main thread start at: %p", __FUNCTION__, modName, msg.u.CreateProcessInfo.lpStartAddress); msg.u.CreateProcessInfo.lpThreadLocalBase = GetThreadTeb(firstThread); msg.u.CreateProcessInfo.nDebugInfoSize = 0; sendDbgEvent(event, ack, false); }
PVOID WINAPI GetThreadStartAddress(DWORD tid) { HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, tid); PVOID addr = GetThreadStartAddress(hThread); CloseHandle(hThread); return addr; }
struct Thread_info * ListThreads(HANDLE heap) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE,hProcess,hThread; THREADENTRY32 te32; MEMORY_BASIC_INFORMATION mbi; struct Thread_info *tinfo,*Start; hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); te32.dwSize = sizeof(THREADENTRY32 ); if( !Thread32First( hThreadSnap, &te32 ) ) { CloseHandle( hThreadSnap ); // Must clean up the snapshot object! return( FALSE ); } Start = init(heap); if(Start == 0) return 0; tinfo = Start; do { if(te32.th32ThreadID == GetCurrentThreadId()) continue; tinfo->Tid = te32.th32ThreadID; tinfo->Pid = te32.th32OwnerProcessID; hThread = OpenThread(THREAD_ALL_ACCESS,0,tinfo->Tid); hProcess = OpenProcess(PROCESS_ALL_ACCESS,0,tinfo->Pid); if(hThread && hProcess) { tinfo->OEP = GetThreadStartAddress(hThread,hProcess); if(tinfo->OEP) { VirtualQueryEx(hProcess,tinfo->OEP,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); tinfo->ImageType = mbi.Type; tinfo->AllocationType = mbi.AllocationProtect; } } CloseHandle(hProcess); CloseHandle(hThread); tinfo->next = init(heap); if(tinfo->next == NULL) return 0; tinfo = tinfo->next; } while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap ); tinfo->Pid =-1; tinfo->Tid =-1; return Start; }
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmdLine, int nShowCmd) { CHAR cMessage[9]; wsprintf(cMessage, "%p", GetThreadStartAddress(GetCurrentThread())); MessageBox(HWND_DESKTOP, cMessage, "Start Address", MB_ICONINFORMATION | MB_OK); return 0; }
// SO, THIS MODULE MUST BE A DLL BOOL XDbgProxy::DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { // MyTrace("%s()", __FUNCTION__); DebugEventPacket event; memset(&event, 0, sizeof(event)); DEBUG_EVENT& msg = event.event; switch (reason) { case DLL_PROCESS_ATTACH: { /* char dllPath[MAX_PATH + 1]; GetModuleFileName(hModule, dllPath, sizeof(dllPath) - 1); dllPath[sizeof(dllPath) - 1] = 0; LoadLibrary(dllPath); */ } // MyTrace("%s(): process(%u) xdbg proxy loaded. thread id: %u", __FUNCTION__, // GetCurrentProcessId(), GetCurrentThreadId()); break; case DLL_PROCESS_DETACH: // MyTrace("%s(): process(%u) xdbg proxy unloaded. thread id: %u", __FUNCTION__, // GetCurrentProcessId(), GetCurrentThreadId()); break; case DLL_THREAD_ATTACH: //MyTrace("%s(): process(%u) xdbg proxy attach thread. thread id: %u <<<", __FUNCTION__, // XDbgGetCurrentProcessId(), XDbgGetCurrentThreadId()); if (!_attached) return TRUE; // REPORT CreateThread msg.dwProcessId = XDbgGetCurrentProcessId(); msg.dwThreadId = XDbgGetCurrentThreadId(); msg.dwDebugEventCode = CREATE_THREAD_DEBUG_EVENT; msg.u.CreateThread.hThread = NULL; msg.u.CreateThread.lpStartAddress = (LPTHREAD_START_ROUTINE ) GetThreadStartAddress(XDbgGetCurrentThread()); msg.u.CreateThread.lpThreadLocalBase = NtCurrentTeb(); pushDbgEvent(event); //MyTrace("%s(): process(%u) xdbg proxy attach thread. thread id: %u >>>", __FUNCTION__, // GetCurrentProcessId(), GetCurrentThreadId()); break; case DLL_THREAD_DETACH: // REPORT ExitThread //MyTrace("%s(): process(%u) xdbg proxy detach thread. thread id: %u <<<", __FUNCTION__, // GetCurrentProcessId(), GetCurrentThreadId()); if (!_attached) return TRUE; msg.dwProcessId = XDbgGetCurrentProcessId(); msg.dwThreadId = XDbgGetCurrentThreadId(); msg.dwDebugEventCode = EXIT_THREAD_DEBUG_EVENT; if (!GetExitCodeThread(XDbgGetCurrentThread(), &msg.u.ExitThread.dwExitCode)) msg.u.ExitThread.dwExitCode = 0; pushDbgEvent(event); //MyTrace("%s(): process(%u) xdbg proxy detach thread. thread id: %u >>>", __FUNCTION__, // GetCurrentProcessId(), GetCurrentThreadId()); break; }; return TRUE; }