trancexx Posted July 28, 2009 Share Posted July 28, 2009 this is the new english shitlish >_< thread related with a dll Related how? ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
MostafaGamal Posted July 28, 2009 Author Share Posted July 28, 2009 See Inside Geeks Tries to prove their geekness by their geek stuff :Dif u understood anything tell me Link to comment Share on other sites More sharing options...
Ascend4nt Posted July 28, 2009 Share Posted July 28, 2009 Thread belonging to a dll. What are you talking about?Or should I say - wtf?!?That's what I was confused about.. I was like huh?.. do DLL's start new threads when certain functions are called or something?! They wouldn't have threads just by being loaded right? I do actually remember reading something that certain DLL's performing an 'initialization' routine when they are loaded, but am really clueless beyond that. My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs | Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) | Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code) Link to comment Share on other sites More sharing options...
MostafaGamal Posted July 28, 2009 Author Share Posted July 28, 2009 That's what I was confused about.. I was like huh?.. do DLL's start new threads when certain functions are called or something?! They wouldn't have threads just by being loaded right? I do actually remember reading something that certain DLL's performing an 'initialization' routine when they are loaded, but am really clueless beyond that.i dont know that if u called a dll it have a thread but if this dll injected into the process it will have a thread when i use a process explorer not all process have threads for dlls they already use monocreses or trancexx might have more information about this Geeks Tries to prove their geekness by their geek stuff :Dif u understood anything tell me Link to comment Share on other sites More sharing options...
trancexx Posted July 28, 2009 Share Posted July 28, 2009 (edited) See Inside Yes, I see now. That's not that simple. This is Manko's area. He can show you how to do it. He made ProDLLer.dll that have functions you can use without having to go too deep into the matter. Find him here. edit: This is pulled from there expandcollapse popupOpt("MustDeclareVars", 1) Global $sModule = "explorer.exe" ; <- change to what you like Global Const $hProDLLer = DllOpen(@ScriptDir & "\ProDLLer.dll") ; Manko's pride If $hProDLLer = -1 Then MsgBox(262144 + 48, "", "You need ProDLLer.dll in your script's dir") Exit EndIf ConsoleWrite("+> SEDEBUG: " & _GetPrivilege_SEDEBUG() & @CRLF) ; This is essential Global Const $tag_SYSTEM_THREADS = "uint64 KernelTime;" & _ "uint64 UserTime;" & _ "uint64 CreateTime;" & _ "dword WaitTime;" & _ "ptr StartAddress;" & _ "dword UniqueProcess;" & _ "dword UniqueThread;" & _ "int Priority;" & _ "int BasePriority;" & _ "dword ContextSwitchCount;" & _ "int State;" & _ "int WaitReason" Global Const $tag_SYSTEM_PROCESSES = "dword NextEntryDelta;" & _ "dword Threadcount;" & _ "dword IsSuspended;" & _ "dword[3];" & _ "double DiffTime;" & _ "uint64 CreateTime;" & _ "uint64 UserTime;" & _ "uint64 KernelTime;" & _ "ushort Length;" & _ "ushort MaximumLength;" & _ "ptr ProcessName;" & _ "int BasePriority;" & _ "dword ProcessId;" & _ "dword InheritedFromProcessId;" & _ "dword HandleCount;" & _ "dword[2];" & _ "dword PeakVirtualSize;" & _ "dword VirtualSize;" & _ "dword PageFaultCount;" & _ "dword PeakWorkingSetSize;" & _ "dword WorkingSetSize;" & _ "dword QuotaPeakPagedPoolUsage;" & _ "dword QuotaPagedPoolUsage;" & _ "dword QuotaPeakNonPagedPoolUsage;" & _ "dword QuotaNonPagedPoolUsage;" & _ "dword PagefileUsage;" & _ "dword PeakPagefileUsage;" & _ "uint64 ReadOperationCount;" & _ "uint64 WriteOperationCount;" & _ "uint64 OtherOperationCount;" & _ "uint64 ReadTransferCount;" & _ "uint64 WriteTransferCount;" & _ "uint64 OtherTransferCount" ; Collect data Global $aThreadsInfo = _GetAvailableThreadData($sModule) ; Write it ConsoleWrite("--- Threadcount = " & UBound($aThreadsInfo) & @CRLF) ConsoleWrite(">Process Name" & " | " & "PID" & " | " & "TID" & " | " & "ThreadStart" & " | " & "StartAddress" & " | " _ & "ModuleNames" & " | " & "Exported functions and offsets" & " | " & "Status" & @CRLF) For $i = 0 To UBound($aThreadsInfo) - 1 ConsoleWrite(" " & $aThreadsInfo[$i][0] & " | " & $aThreadsInfo[$i][1] & " | " & $aThreadsInfo[$i][2] _ & " | " & $aThreadsInfo[$i][3] & " | " & $aThreadsInfo[$i][4] & " | " & $aThreadsInfo[$i][5] _ & " | " & $aThreadsInfo[$i][6] & " | " & $aThreadsInfo[$i][7] & @CRLF) Next #cs ; You want something like this For $i = 0 To UBound($aThreadsInfo) - 1 If $aThreadsInfo[$i][5] = "msvcr0.dll" Then ; _ThreadSuspend($aThreadsInfo[$i][2]) EndIf Next #ce ; pulled from http://www.autoitscript.com/forum/index.php?showtopic=84939 Func _GetAvailableThreadData($sModule) Local $aCall = DllCall($hProDLLer, "ptr", "ListChanged", "ptr*", 0, "ptr*", 0) Local $pBasePointer = $aCall[1] Local $tSysProc = DllStructCreate($tag_SYSTEM_PROCESSES, $pBasePointer) Local $pPointer = $pBasePointer Local $iSysProcSize = DllStructGetSize($tSysProc) Local $tSysThread = DllStructCreate($tag_SYSTEM_THREADS) Local $tSysThread_Size = DllStructGetSize($tSysThread) Local $aThreadsInfo Local $iNextEntryDelta While 1 $tSysProc = DllStructCreate($tag_SYSTEM_PROCESSES, $pPointer) #cs $ret = DllCall($hProDLLer, "wstr", "GetUni", "int", DllStructGetData($tSysProc, "ProcessName")) $sProcess = $ret[0] #ce Local $sProcess = DllStructGetData(DllStructCreate("wchar[64]", DllStructGetData($tSysProc, "ProcessName")), 1) If $sProcess == $sModule Then Local $iThreadCount = DllStructGetData($tSysProc, "Threadcount") Local $aThreadsInfo[$iThreadCount][8] For $i = 0 To $iThreadCount - 1 $tSysThread = DllStructCreate($tag_SYSTEM_THREADS, $pPointer + $iSysProcSize + $i * $tSysThread_Size) $aThreadsInfo[$i][0] = $sProcess $aThreadsInfo[$i][1] = DllStructGetData($tSysProc, "ProcessId") $aThreadsInfo[$i][2] = DllStructGetData($tSysThread, "UniqueThread") $aThreadsInfo[$i][3] = DllStructGetData($tSysThread, "StartAddress") #cs $ret = DllCall($hProDLLer, "ptr", "ThreadGetStartAddress", "int", $aThreadsInfo[$i][2]) $aThreadsInfo[$i][4] = $ret[0] #ce $aThreadsInfo[$i][4] = _ThreadGetStartAddress($aThreadsInfo[$i][2]) $aCall = DllCall($hProDLLer, "str*", "GetModuleNameFromAddress", "int", $aThreadsInfo[$i][1], "int", $aThreadsInfo[$i][4]) $aThreadsInfo[$i][5] = $aCall[0] If Not $aThreadsInfo[$i][5] Then $aCall = DllCall($hProDLLer, "str*", "GetModuleNameFromAddress", "int", $aThreadsInfo[$i][1], "int", $aThreadsInfo[$i][3]) $aThreadsInfo[$i][5] = $aCall[0] EndIf If StringInStr($aThreadsInfo[$i][5], ".exe") Then $aThreadsInfo[$i][6] = " " Else $aCall = DllCall($hProDLLer, "str", "GetModuleExport") If $aCall[0] Then $aThreadsInfo[$i][6] = $aCall[0] $aCall = DllCall($hProDLLer, "ptr", "GetModuleOffset") $aThreadsInfo[$i][6] &= "+" & $aCall[0] EndIf EndIf $aThreadsInfo[$i][7] = DllStructGetData($tSysThread, "WaitReason") If $aThreadsInfo[$i][7] = 5 Then $aThreadsInfo[$i][7] = "Suspended" Else $aThreadsInfo[$i][7] = "" EndIf Next ExitLoop ; only one instance here EndIf $iNextEntryDelta = DllStructGetData($tSysProc, "NextEntryDelta") If Not $iNextEntryDelta Then ExitLoop $pPointer += $iNextEntryDelta WEnd Return $aThreadsInfo EndFunc ;==>_GetAvailableThreadData ; This is from ProDLLer.dll - translated to AutoIt Func _ThreadGetStartAddress($iThreadID) Local $aCall = DllCall("kernel32", "ptr", "OpenThread", _ "dword", 0x001F03FF, _ ; This is THREAD_ALL_ACCESS. Manko is using 0x001F0FFF, I don't know what that is. Probably aiming the same. "int", 0, _ ; do not inherit handle "dword", $iThreadID) If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) EndIf Local $hThread = $aCall[0] $aCall = DllCall("ntdll.dll", "int", "NtQueryInformationThread", _ "ptr", $hThread, _ "dword", 9, _ ; ThreadQuerySetWin32StartAddress "ptr*", 0, _ "dword", 4, _ "dword*", 0) If @error Then Return SetError(1, 0, 0) EndIf DllCall("kernel32", "ptr", "CloseHandle", "ptr", $hThread) Return $aCall[3] EndFunc ;==>_ThreadGetStartAddress ; This is how I see this great wraithdu's function Func _GetPrivilege_SEDEBUG() Local $a_hCall = DllCall("kernel32.dll", "ptr", "GetCurrentProcess") If @error Then Return SetError(1, 0, 0) EndIf Local $hCurrentProcess = $a_hCall[0] Local $a_iCall = DllCall("advapi32.dll", "int", "OpenProcessToken", _ "ptr", $hCurrentProcess, _ "dword", 32, _ ; TOKEN_ADJUST_PRIVILEGES "ptr*", 0) If @error Or Not $a_iCall[0] Then Return SetError(2, 0, 0) EndIf Local $hToken = $a_iCall[3] Local $tLUID = DllStructCreate("dword LowPart;" & _ "int HighPart") $a_iCall = DllCall("advapi32.dll", "int", "LookupPrivilegeValueW", _ "wstr", "", _ "wstr", "SeDebugPrivilege", _ ; SE_DEBUG_NAME "ptr", DllStructGetPtr($tLUID)) If @error Or Not $a_iCall[0] Then DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken) Return SetError(3, 0, 0) EndIf Local $tTOKEN_PRIVILEGES = DllStructCreate("dword PrivilegeCount;" & _ "dword LUIDLowPart;" & _ "int LUIDHighPart;" & _ "dword Attributes") DllStructSetData($tTOKEN_PRIVILEGES, "PrivilegeCount", 1) ; just one DllStructSetData($tTOKEN_PRIVILEGES, "LUIDLowPart", DllStructGetData($tLUID, "LowPart")) DllStructSetData($tTOKEN_PRIVILEGES, "LUIDHighPart", DllStructGetData($tLUID, "HighPart")) DllStructSetData($tTOKEN_PRIVILEGES, "Attributes", 2) ; SE_PRIVILEGE_ENABLED $a_iCall = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", _ "ptr", $hToken, _ "int", 0, _ "ptr", DllStructGetPtr($tTOKEN_PRIVILEGES), _ "dword", 0, _ "ptr", 0, _ "ptr", 0) If @error Or Not $a_iCall[0] Then DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken) Return SetError(4, 0, 0) EndIf DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken) Return SetError(0, 0, 1) ; success EndFunc ;==>_GetPrivilege_SEDEBUG Edited July 29, 2009 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
MostafaGamal Posted July 29, 2009 Author Share Posted July 29, 2009 After Drinking 26 cup of tea and half with help from MSDN (thx Ascend4nt) , monoceres code , trancexx good search >_< and Manko's dll i am getting results $Proid = ProcessExists("Process name") $tidarray=_GetAllProcessThreads($Proid) for $count = 1 To 10 Step 1 << Here you can use array counting but i prefered this $threadid = $tidarray[$count][0] $startaddress = DllCall($ThreadsDll, "ptr", "ThreadGetStartAddress", "int", $threadid) $modname = DllCall($ThreadsDll, "str*", "GetModuleNameFromAddress", "int", $Proid, "int", $startaddress[0]) if $modname[0] = "Module u wanna suspend" Then _ThreadSuspend($threadid) EndIf Next after using this dll i get more better results than before thanks manko and thank you all Geeks Tries to prove their geekness by their geek stuff :Dif u understood anything tell me Link to comment Share on other sites More sharing options...
Manko Posted December 7, 2009 Share Posted December 7, 2009 After Drinking 26 cup of tea and half with help from MSDN (thx Ascend4nt) , monoceres code , trancexx good search and Manko's dll i am getting results after using this dll i get more better results than before thanks manko and thank you allYou managed to mention most of my favourite Autoit coders in one sentence! (Yes I'm one of my favourites too...) I just chansed upon this thread. Never knew I helped with this. trancexx: Great work reversing my dll!!! Sorry for posting in a "dead" thread. At least it's not ages past.../Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now