Does anyone know a way to easily go from Thread ID to Process ID? You can
get _KTHREAD fairly easily but I havn’t found any ways to use it. Is the
only way to enumerate all Processes and check what threads a process has?
If so how does one enumerate threads in a process?
Nevermind. I found a solution.
“Jason Annice” wrote in message
news:xxxxx@ntdev…
>
> Nevermind. I found a solution.
>
But you would like to share it with us!
I have decided to show people how to do this incase they don’t know.
NtInvoke is just my wrapper for calling NT service functions, my function
isn’t documented, but others like it are. It simply moves the service id
into eax, and does an INT.
You need to work out the address of ZwQuerySystemThread because it isn’t
exported by ntoskrnl.exe, from NTDLL, and grab the service number from
there, or just use Softice to grab that number, on my XP build it is 0x9B
. Thats what the variable HookedNtQueryInformationThread is.
All the structures used here are pretty well documented, have fun.
ULONG PidFromTid(ULONG tid)
{
NTSTATUS rc;
HANDLE hThread;
THREAD_BASIC_INFORMATION threadinfo;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID cid={0};
cid.UniqueThread=tid;
InitializeObjectAttributes(&ObjectAttributes,0,0,0,0);
rc =
ZwOpenThread(&hThread,0x0040,&ObjectAttributes,&cid); //THREAD_QUERY_INFORMATION
access
if(!NT_SUCCESS(rc))
{
return 0xFFFFFFFF;
}
rc =
NtInvoke(HookedNtQueryInformationThread,hThread,ThreadBasicInformation,&threadinfo,sizeof(THREAD_BASIC_INFORMATION),0);
ZwClose(hThread);
if(!NT_SUCCESS(rc))
{
return 0xFFFFFFFF;
}
return(threadinfo.UniqueProcessId);
}