Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Is there a method to get the "THREADSTACK" address

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Kariaro
How do I cheat?
Reputation: 0

Joined: 10 Sep 2017
Posts: 1

PostPosted: Sun Sep 10, 2017 10:27 am    Post subject: Is there a method to get the "THREADSTACK" address Reply with quote

The top cut out a bit... The QUESTION is how to get the THREADSTACK address of a 64 bit program
I have read the posts bellow
forum.cheatengine.org/viewtopic.php?p=5487976
forum.cheatengine.org/viewtopic.php?p=5602055
forum.cheatengine.org/viewtopic.php?t=585672
forum.cheatengine.org/viewtopic.php?t=601269


and i have read the source of cheatengine and tried some alternative codes...

But i havent tested it on a 32 bit program but when i try to get the THREADSTACK address it returns zeros...

I have the HANDLE for the process and the Thread so the only thing left is to get the start address of that thread... Confused

And thats where i fail..

I tried to run this program and to gave me nothing as output... "and thats what it stod in the text... that it only worked for 32 bit programs"..

github.com/makemek/cheatengine-threadstack-finder

Now for 2 days i have tried finding ANYTHING that works ...

Any help appriciate
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Mon Sep 11, 2017 1:58 am    Post subject: Reply with quote

NtQueryInformationThread is the main thing that is important with this. The class object used would be 'ThreadBasicInformation' and then from the returned object, you would need to use the 'TebBaseAddress' field.

You can also use inline asm or intrustic functions to pull the information.

You can pull this via intrustic functions like this:

32bit:
Code:
auto teb = (TEB32*)__readfsdword(0x18)


64bit:
Code:
auto teb = (TEB64*)__readgsqword(0x30);


Keep in mind these are only for the current process, so you would either need to inject this into the target or have it running from the target process in the first place.

Also, keep in mind if you are in a WOW64 process, you need to account for that. When that is the case, you use the 32bit method and subtract 0x2000 from the original entry. A WOW64 process has both a 32bit and 64bit TEB block to account for.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites