Killing a process is easy, how about a thread?

[Morthawt]

I am wondering, to kill an entire process is easy but with autoit is it possible to kill a process' thread? I ran into an issue a while back where a piece of malware would do bad things if its main process was terminated but when I killed a specific thread which had the same name/address or what ever then it would halt it's actions and allow me to do damage control. The issue is I had to manually do that on each machine I was cleaning. If I could some how detect the thread by its hex address and make it terminate / suspend that thread I would have been able to make a script that would just do the job for me and speed up the cleaning process.

Is this even possible?

[BrewManNH]

If you can find out the PID of the process, processclose should be able to do it. But, how do you determine which is the right one to kill if the names are the same?

Have you tried just using Safe Mode instead of trying to do it while Windows is running natively? Or even using a bootable USB drive or CD/DVD instead of booting from the infected drive? Seems it would be much easier to delete a virus/malware if it's not running in the first place.

[Morthawt]

I think you have it mixed up what I am trying to do. I am not trying to close a process, as I have said that is easy and I know how to do that in many ways. What I want to do is be able to terminate a thread that is running in a process. The malware I was dealing with at the time knew when its main process was terminated and took actions. However if I suspended or killed just the main thread of the process the exe was still running but the malware was essentially halted. That allowed me to terminate all the other processes that were watching the system and then kill the main malware process so that it wouldn't come back.

I am just trying to kill a thread inside of a process. For example if you run a continuous ping and check the threads with process explorer you will see things like "PING.EXE+0x3410". This is the kind of thing I am looking to see if it is possible to terminate via autoit. It sure would be nice to automate that to deal with malware in the future because otherwise you have to download process explorer, get it on to the system and hope the malware doesn't detect it and cripple it, then run it and locate the malware exe and then open the details up and check through threads etc. Long time consuming thing. Automating the thread termination with a little autoit script would be such a time saver.

[BrewManNH]

Safe mode or a boot disk, don't run the infected machine's software, bypass it. Then delete what you need to delete. Anything else is just doing it wrong.

[Morthawt]

Please, I am not asking for advice on how to clean systems. I cannot go into safe mode and cut all network for safety when I am 4,000 miles away remoting into the machine.

I am asking how do I terminate a thread inside of a process using autoit.

[Gianni]

Hi Morthawt

I think that >this link will interest you

there are a lot of functions on Processes and Threads.

for example:

;   _ProcessListThreads()  ; Get a List of Threads for one or *all* processes
;   _ThreadTerminate()     ; Terminates a Thread. *** NOT RECOMMENDED ***

bye

Edited September 17, 2013 by PincoPanco

[trancexx]

To kill thread in another process you need to run your own thread in that process. Then from your thread you can close/terminate other thread(s). To do this from AutoIt script you would really need to know assembly. Not even assembly but machine code.

Do you know it?