glf4k How do I cheat? Reputation: 0
Joined: 05 Feb 2018 Posts: 7
|
Posted: Sat Mar 20, 2021 6:23 pm Post subject: How to get THREADSTACK0 real address of x64 process in C++ |
|
|
Hello,
Can anyone help me get real address of THREADSTACK0 (x64) using C++, please?
I've tried to use this GitHub logic which only works on 32bit processes:
github - cheatengine-threadstack-finder
and also the information from this thread:
5487976
According to the algorithm from the GitHub project, I managed to list all thread Ids of my process and corresponding TebBaseAddresses from NtQueryInformationThread.
Then I tried to get the second pointer of the struct where the TebBaseAddress points to:
DWORD64 ptrs[2];
ReadProcessMemory(hProcess, tbi.TebBaseAddress, ptrs, 16, nullptr);
DWORD64 stackTop = ptrs[1];
But the stackTop address is not the correct one which Cheat Engne shows (but it has a non 0 value). Also,
MODULEINFO mi;
HMODULE moduleHandle = GetModuleHandle(L"kernel32.dll");
GetModuleInformation(processHandle, moduleHandle, &mi, sizeof(mi));
for some reasons returns 0xccc for all addresses of mi struct.
The original algorithm for 32bit did something with "ExitThread" and I have not idea what it supposed to do.
Can anyone point me to the right direction? I obviously have not idea what am I doing.
Thanks in advance!
|
|