-1

the start address is always changing for the thread also the threadid is always changing, I'm trying to kill a thread from another process how to identify the thread that I want to kill if possible i want some code examples please !

Ahmed Mahmoud
  • 1
  • 3
  • _I'm trying to kill a thread from another process_ Don't do that, that is super dangerous. Instead, find some way to politely ask the thread to stop doing whatever it is doing and exit cleanly. – Paul Sanders Oct 16 '21 at 22:03
  • i know it's dangrous but in my case it's fine, anyways how to ask the thread to stop doing what it's doing ? – Ahmed Mahmoud Oct 16 '21 at 22:09
  • also is there any other way to identify the thread ? i can search for some function to do what you said but how can i identify the thread that i want to stop ? – Ahmed Mahmoud Oct 16 '21 at 22:11
  • The thread has to cooperate. If you want another process to tell it to stop, you will need to use some kind of IPC mechanism (such as a [named pipe](https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes)) to pass a command to it. You will need to read up on the various IPC machanisms that Windows supports in order to decide what best fits your use-case. – Paul Sanders Oct 16 '21 at 22:14
  • Do you have access to the source code of the program whose thread you want to terminate? If you do, then you should be able to reprogram it to react to a termination request gracefully. If you don't have access to the source code, then you will probably indeed have to kill the thread. – Andreas Wenzel Oct 16 '21 at 22:22
  • ... And if you do that when the thread is holding some critical lock (inside the memory allocator, say), then you are hosed. – Paul Sanders Oct 16 '21 at 22:32
  • You're playing in a dark and dirty space within the windows API. This link https://devblogs.microsoft.com/oldnewthing/20060223-14/?p=32173 may provide a starting point. Bear in mind that the windows security model, by design, defaults to denying access to threads in other processes (which affects ability to find such a thread, let alone take actions to affect it). Forcably terminating threads and processes is usually a bad idea (e.g. it can compromise system stability) so it would be better to set up some facility to signal the target process/thread, so it terminates *itself* cleanly. – Peter Oct 16 '21 at 22:46
  • i have the function to terminate the thread but i need to identify the thread which i want to terminate here's the code : https://i.imgur.com/5jd4iV6.png – Ahmed Mahmoud Oct 16 '21 at 22:59
  • At the risk of repeating myself, you really, _really_, shouldn't do this. Read what [Raymond has to say](https://devblogs.microsoft.com/oldnewthing/20150814-00/?p=91811) if you don't believe me. – Paul Sanders Oct 16 '21 at 23:10
  • The start address is probably always changing due to [ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization). If you can [deactivate it](https://stackoverflow.com/questions/19012480/how-to-enable-aslr-in-a-windows-pe-binary) in the target executable's [PE](https://en.wikipedia.org/wiki/Portable_Executable) file, then you will probably no longer have the problem of the start address changing. However, the target executable may be able to detect that it has been tampered with, and, depending on what type of program it is, it may refuse to run. – Andreas Wenzel Oct 16 '21 at 23:46
  • yes it didn't run after i disabled it – Ahmed Mahmoud Oct 17 '21 at 00:07
  • If your question is about determining which critieria to use in order to decide which thread to terminate, then your question is not a programming question, but rather a reverse engineering question. Therefore, you may want to post such questions on [reverseengineering.se]. However, in its current state, your question will likely be closed on that site, unless you provide additional information and ask a more specific question. See the help pages of that site for further information. – Andreas Wenzel Oct 17 '21 at 14:01
  • hey Andreas thanks for your advice, I thought there's a function or something programmatically that can do it that's why I posted it in this section – Ahmed Mahmoud Oct 18 '21 at 00:26
  • @AhmedMahmoud: One thing you could maybe do is call [`SuspendThread`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread) and then [`GetThreadContext`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext). That way, you can inspect the registers of the thread. Especially the instruction pointer of the thread and the thread's [call stack](https://en.wikipedia.org/wiki/Call_stack) may help you in identifying the thread. – Andreas Wenzel Oct 19 '21 at 15:45

2 Answers2

1

There is nothing available to "identify" a thread externally. You can enumerate a process's threads, but all that gives you is a list of thread IDs, nothing else. So you have to "know" the specific thread ID you want ahead of time, ie if the target process gives it to you. Otherwise you are flying blind.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • thanks for clarifying, can i do something like : `dwGetModuleBaseAddress(ntdll.dll!RtlUserThreadStart + hexValue) = threadStartAddress` i tried to get the base address for ntdll.dll!RtlUserThreadStart but it fails i can get the ntdll address but not ntdll.dll!RtlUserThreadStart correct me if i'm wrong , i'm still new to all of this – Ahmed Mahmoud Oct 16 '21 at 23:21
0

You can use the function CreateToolhelp32Snapshot to create a snapshot of a certain process, and then use the functions Thread32First and Thread32Next to traverse the list of all threads in that snapshot. See the following page from the official Microsoft documentation for an example:

Traversing the Thread List

After you have found the thread that you want to terminate, you can then open it with OpenThread and call TerminateThread on it.

However, before you decide to do that, I strongly suggest that you read the documentation of the function TerminateThread (link see above). As stated in the documentation, terminating a thread is a very risky thing to do and is generally not recommended.

Andreas Wenzel
  • 22,760
  • 4
  • 24
  • 39
  • i have the function to terminate the thread but i need to identify the thread which i want to terminate https://i.imgur.com/5jd4iV6.png – Ahmed Mahmoud Oct 16 '21 at 22:55
  • @AhmedMahmoud your function is leaking a `HANDLE` for every thread that doesn't match your `StartAddress` parameter. – Remy Lebeau Oct 16 '21 at 23:15