Jump to content

Thread Suspend / Resume

MostafaGamal
 Share

Recommended Posts

Ascend4nt Universalist

Ascend4nt

Posted
Posted

Thread belonging to a dll. What are you talking about?

Or should I say - wtf?!?

That's what I was confused about.. I was like huh?.. do DLL's start new threads when certain functions are called or something?! They wouldn't have threads just by being loaded right? I do actually remember reading something that certain DLL's performing an 'initialization' routine when they are loaded, but am really clueless beyond that.

My contributions:

Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFsProcess CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen)Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery

Wrappers/Modifications of others' contributions:

_DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity)

UDF's added support/programming to:

_ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne)

(All personal code/wrappers centrally located at Ascend4nt's AutoIT Code)

Link to comment
Share on other sites
MostafaGamal Seeker

MostafaGamal

Posted
  • Author
Posted

That's what I was confused about.. I was like huh?.. do DLL's start new threads when certain functions are called or something?! They wouldn't have threads just by being loaded right? I do actually remember reading something that certain DLL's performing an 'initialization' routine when they are loaded, but am really clueless beyond that.

i dont know that if u called a dll it have a thread but if this dll injected into the process it will have a thread

when i use a process explorer not all process have threads for dlls they already use

monocreses or trancexx might have more information about this

Geeks Tries to prove their geekness by their geek stuff :Dif u understood anything tell me

Link to comment
Share on other sites
trancexx Universalist

trancexx

Posted
Posted (edited)

Posted Image

See Inside

Yes, I see now. That's not that simple.

This is Manko's area. He can show you how to do it. He made ProDLLer.dll that have functions you can use without having to go too deep into the matter.

Find him here.

edit:

This is pulled from there

Opt("MustDeclareVars", 1)

Global $sModule = "explorer.exe" ; <- change to what you like

Global Const $hProDLLer = DllOpen(@ScriptDir & "\ProDLLer.dll") ; Manko's pride
If $hProDLLer = -1 Then
    MsgBox(262144 + 48, "", "You need ProDLLer.dll in your script's dir")
    Exit
EndIf


ConsoleWrite("+> SEDEBUG: " & _GetPrivilege_SEDEBUG() & @CRLF) ; This is essential

Global Const $tag_SYSTEM_THREADS = "uint64 KernelTime;" & _
        "uint64 UserTime;" & _
        "uint64 CreateTime;" & _
        "dword WaitTime;" & _
        "ptr StartAddress;" & _
        "dword UniqueProcess;" & _
        "dword UniqueThread;" & _
        "int Priority;" & _
        "int BasePriority;" & _
        "dword ContextSwitchCount;" & _
        "int State;" & _
        "int WaitReason"

Global Const $tag_SYSTEM_PROCESSES = "dword NextEntryDelta;" & _
        "dword Threadcount;" & _
        "dword IsSuspended;" & _
        "dword[3];" & _
        "double DiffTime;" & _
        "uint64 CreateTime;" & _
        "uint64 UserTime;" & _
        "uint64 KernelTime;" & _
        "ushort Length;" & _
        "ushort MaximumLength;" & _
        "ptr ProcessName;" & _
        "int BasePriority;" & _
        "dword ProcessId;" & _
        "dword InheritedFromProcessId;" & _
        "dword HandleCount;" & _
        "dword[2];" & _
        "dword PeakVirtualSize;" & _
        "dword VirtualSize;" & _
        "dword PageFaultCount;" & _
        "dword PeakWorkingSetSize;" & _
        "dword WorkingSetSize;" & _
        "dword QuotaPeakPagedPoolUsage;" & _
        "dword QuotaPagedPoolUsage;" & _
        "dword QuotaPeakNonPagedPoolUsage;" & _
        "dword QuotaNonPagedPoolUsage;" & _
        "dword PagefileUsage;" & _
        "dword PeakPagefileUsage;" & _
        "uint64 ReadOperationCount;" & _
        "uint64 WriteOperationCount;" & _
        "uint64 OtherOperationCount;" & _
        "uint64 ReadTransferCount;" & _
        "uint64 WriteTransferCount;" & _
        "uint64 OtherTransferCount"


; Collect data
Global $aThreadsInfo = _GetAvailableThreadData($sModule)

; Write it
ConsoleWrite("--- Threadcount = " & UBound($aThreadsInfo) & @CRLF)

ConsoleWrite(">Process Name" & " | " & "PID" & " | " & "TID" & " | " & "ThreadStart" & " | " & "StartAddress" & " | " _
         & "ModuleNames" & " | " & "Exported functions and offsets" & " | " & "Status" & @CRLF)

For $i = 0 To UBound($aThreadsInfo) - 1

    ConsoleWrite(" " & $aThreadsInfo[$i][0] & " | " & $aThreadsInfo[$i][1] & " | " & $aThreadsInfo[$i][2] _
             & " | " & $aThreadsInfo[$i][3] & " | " & $aThreadsInfo[$i][4] & " | " & $aThreadsInfo[$i][5] _
             & " | " & $aThreadsInfo[$i][6] & " | " & $aThreadsInfo[$i][7] & @CRLF)

Next


#cs
    ; You want something like this
    For $i = 0 To UBound($aThreadsInfo) - 1

    If $aThreadsInfo[$i][5] = "msvcr0.dll" Then

    ; _ThreadSuspend($aThreadsInfo[$i][2])

    EndIf

    Next
#ce



; pulled from http://www.autoitscript.com/forum/index.php?showtopic=84939
Func _GetAvailableThreadData($sModule)

    Local $aCall = DllCall($hProDLLer, "ptr", "ListChanged", "ptr*", 0, "ptr*", 0)
    Local $pBasePointer = $aCall[1]

    Local $tSysProc = DllStructCreate($tag_SYSTEM_PROCESSES, $pBasePointer)
    Local $pPointer = $pBasePointer

    Local $iSysProcSize = DllStructGetSize($tSysProc)
    Local $tSysThread = DllStructCreate($tag_SYSTEM_THREADS)
    Local $tSysThread_Size = DllStructGetSize($tSysThread)

    Local $aThreadsInfo
    Local $iNextEntryDelta

    While 1

        $tSysProc = DllStructCreate($tag_SYSTEM_PROCESSES, $pPointer)

        #cs
            $ret = DllCall($hProDLLer, "wstr", "GetUni", "int", DllStructGetData($tSysProc, "ProcessName"))
            $sProcess = $ret[0]
        #ce

        Local $sProcess = DllStructGetData(DllStructCreate("wchar[64]", DllStructGetData($tSysProc, "ProcessName")), 1)


        If $sProcess == $sModule Then

            Local $iThreadCount = DllStructGetData($tSysProc, "Threadcount")

            Local $aThreadsInfo[$iThreadCount][8]

            For $i = 0 To $iThreadCount - 1

                $tSysThread = DllStructCreate($tag_SYSTEM_THREADS, $pPointer + $iSysProcSize + $i * $tSysThread_Size)

                $aThreadsInfo[$i][0] = $sProcess
                $aThreadsInfo[$i][1] = DllStructGetData($tSysProc, "ProcessId")
                $aThreadsInfo[$i][2] = DllStructGetData($tSysThread, "UniqueThread")
                $aThreadsInfo[$i][3] = DllStructGetData($tSysThread, "StartAddress")

                #cs
                    $ret = DllCall($hProDLLer, "ptr", "ThreadGetStartAddress", "int", $aThreadsInfo[$i][2])
                    $aThreadsInfo[$i][4] = $ret[0]
                #ce

                $aThreadsInfo[$i][4] = _ThreadGetStartAddress($aThreadsInfo[$i][2])

                $aCall = DllCall($hProDLLer, "str*", "GetModuleNameFromAddress", "int", $aThreadsInfo[$i][1], "int", $aThreadsInfo[$i][4])

                $aThreadsInfo[$i][5] = $aCall[0]

                If Not $aThreadsInfo[$i][5] Then
                    $aCall = DllCall($hProDLLer, "str*", "GetModuleNameFromAddress", "int", $aThreadsInfo[$i][1], "int", $aThreadsInfo[$i][3])
                    $aThreadsInfo[$i][5] = $aCall[0]
                EndIf

                If StringInStr($aThreadsInfo[$i][5], ".exe") Then
                    $aThreadsInfo[$i][6] = "                    "
                Else
                    $aCall = DllCall($hProDLLer, "str", "GetModuleExport")
                    If $aCall[0] Then
                        $aThreadsInfo[$i][6] = $aCall[0]
                        $aCall = DllCall($hProDLLer, "ptr", "GetModuleOffset")
                        $aThreadsInfo[$i][6] &= "+" & $aCall[0]
                    EndIf
                EndIf

                $aThreadsInfo[$i][7] = DllStructGetData($tSysThread, "WaitReason")

                If $aThreadsInfo[$i][7] = 5 Then
                    $aThreadsInfo[$i][7] = "Suspended"
                Else
                    $aThreadsInfo[$i][7] = ""
                EndIf

            Next

            ExitLoop ; only one instance here

        EndIf

        $iNextEntryDelta = DllStructGetData($tSysProc, "NextEntryDelta")
        If Not $iNextEntryDelta Then ExitLoop

        $pPointer += $iNextEntryDelta

    WEnd

    Return $aThreadsInfo

EndFunc   ;==>_GetAvailableThreadData


; This is from ProDLLer.dll - translated to AutoIt
Func _ThreadGetStartAddress($iThreadID)

    Local $aCall = DllCall("kernel32", "ptr", "OpenThread", _
            "dword", 0x001F03FF, _  ; This is THREAD_ALL_ACCESS. Manko is using 0x001F0FFF, I don't know what that is. Probably aiming the same.
            "int", 0, _ ; do not inherit handle
            "dword", $iThreadID)

    If @error Or Not $aCall[0] Then
        Return SetError(1, 0, 0)
    EndIf

    Local $hThread = $aCall[0]

    $aCall = DllCall("ntdll.dll", "int", "NtQueryInformationThread", _
            "ptr", $hThread, _
            "dword", 9, _ ; ThreadQuerySetWin32StartAddress
            "ptr*", 0, _
            "dword", 4, _
            "dword*", 0)

    If @error Then
        Return SetError(1, 0, 0)
    EndIf

    DllCall("kernel32", "ptr", "CloseHandle", "ptr", $hThread)

    Return $aCall[3]

EndFunc   ;==>_ThreadGetStartAddress


; This is how I see this great wraithdu's function
Func _GetPrivilege_SEDEBUG()

    Local $a_hCall = DllCall("kernel32.dll", "ptr", "GetCurrentProcess")

    If @error Then
        Return SetError(1, 0, 0)
    EndIf

    Local $hCurrentProcess = $a_hCall[0]

    Local $a_iCall = DllCall("advapi32.dll", "int", "OpenProcessToken", _
            "ptr", $hCurrentProcess, _
            "dword", 32, _  ; TOKEN_ADJUST_PRIVILEGES
            "ptr*", 0)

    If @error Or Not $a_iCall[0] Then
        Return SetError(2, 0, 0)
    EndIf

    Local $hToken = $a_iCall[3]

    Local $tLUID = DllStructCreate("dword LowPart;" & _
            "int HighPart")

    $a_iCall = DllCall("advapi32.dll", "int", "LookupPrivilegeValueW", _
            "wstr", "", _
            "wstr", "SeDebugPrivilege", _ ; SE_DEBUG_NAME
            "ptr", DllStructGetPtr($tLUID))

    If @error Or Not $a_iCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
        Return SetError(3, 0, 0)
    EndIf

    Local $tTOKEN_PRIVILEGES = DllStructCreate("dword PrivilegeCount;" & _
            "dword LUIDLowPart;" & _
            "int LUIDHighPart;" & _
            "dword Attributes")

    DllStructSetData($tTOKEN_PRIVILEGES, "PrivilegeCount", 1) ; just one
    DllStructSetData($tTOKEN_PRIVILEGES, "LUIDLowPart", DllStructGetData($tLUID, "LowPart"))
    DllStructSetData($tTOKEN_PRIVILEGES, "LUIDHighPart", DllStructGetData($tLUID, "HighPart"))
    DllStructSetData($tTOKEN_PRIVILEGES, "Attributes", 2) ; SE_PRIVILEGE_ENABLED

    $a_iCall = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", _
            "ptr", $hToken, _
            "int", 0, _
            "ptr", DllStructGetPtr($tTOKEN_PRIVILEGES), _
            "dword", 0, _
            "ptr", 0, _
            "ptr", 0)

    If @error Or Not $a_iCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)
        Return SetError(4, 0, 0)
    EndIf

    DllCall("kernel32.dll", "int", "CloseHandle", "ptr", $hToken)

    Return SetError(0, 0, 1) ; success

EndFunc   ;==>_GetPrivilege_SEDEBUG
Edited by trancexx

♡♡♡

.

eMyvnE

Link to comment
Share on other sites
MostafaGamal Seeker

MostafaGamal

Posted
  • Author
Posted

After Drinking 26 cup of tea and half with help from MSDN (thx Ascend4nt) , monoceres code , trancexx good search >_< and Manko's dll i am getting results 

$Proid = ProcessExists("Process name")
$tidarray=_GetAllProcessThreads($Proid)
for $count = 1 To 10  Step 1 << Here you can use array counting but i prefered this
  $threadid = $tidarray[$count][0]
  $startaddress = DllCall($ThreadsDll, "ptr", "ThreadGetStartAddress", "int", $threadid)
  $modname = DllCall($ThreadsDll, "str*", "GetModuleNameFromAddress", "int", $Proid, "int", $startaddress[0])
  if $modname[0] = "Module u wanna suspend" Then
   _ThreadSuspend($threadid)
  EndIf
Next

after using this dll i get more better results than before thanks manko and thank you all

Geeks Tries to prove their geekness by their geek stuff :Dif u understood anything tell me

Link to comment
Share on other sites
  • 4 months later...
Manko Prodigy

Manko

Posted
Posted

After Drinking 26 cup of tea and half with help from MSDN (thx Ascend4nt) , monoceres code , trancexx good search B) and Manko's dll i am getting results

after using this dll i get more better results than before thanks manko and thank you all

You managed to mention most of my favourite Autoit coders in one sentence! :) (Yes I'm one of my favourites too...) B)

I just chansed upon this thread. Never knew I helped with this. ;)

trancexx: Great work reversing my dll!!! B)

Sorry for posting in a "dead" thread. At least it's not ages past...

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...