THREADENTRY32 Struct in 64 bit

[GUAN DE DIO]

Hi everybody

     I'm working on the structs: PROCESSENTRY32, MODULEENTRY32 and THREADENTRY32 for 64 bit platform

     In the structs PROCESSENTRY32 and MODULEENTRY32 I needed to introduce padding to make it work fine.

     The struct THREADENTRY32 doesn't need padding but the result that I obtain I think it is not completely right.

     I specify the  struct as follow:

THREADENTRY32 STRUCT
    dwSize                         DWORD ?
    cntUsage                      DWORD ?
    th32ThreadID               DWORD ?
    th32OwnerProcessID      DWORD ?
    tpBasePri                       DWORD ?
    tpDeltaPri                      DWORD ?
    dwFlags                         DWORD ?
THREADENTRY32 ENDS

  The size of it is 1C.
   

   1st doubt:

          When I call the API Thread32First It changes the dwSize to 23F28C (hex). The help of this API said that dwSize can be change but never for upper number that I specify before the calling 

    2nd doubt:

       I made some test with my program. I know that my program use 2 Thread, and the result that I got was:

           - 1st Thread
                       dwSize                        23F28C      <= That is wrong
                       cntUsage                     0               <= OK
                       th32ThreadID              403014       <= Maybe
                       th32OwnerProcessID    9D8             <= That's OK in the Test
                       tpBasePri                     8                 <= It is in the range 0..1F.   Maybe it is right
                       tpDeltaPri                    403023         <= That's wrong
                       dwFlags                      0                   <= OK

            - 2nd Thread
                       dwSize                        23F28C      <= That is wrong
                       cntUsage                     0               <= OK
                       th32ThreadID              403014       <= Maybe
                       th32OwnerProcessID    9D8             <= That's OK in the Test
                       tpBasePri                     8                 <= It is in the range 0..1F.   Maybe it is right
                       tpDeltaPri                    403023         <= That's wrong
                       dwFlags                      0                   <= OK

            I had the same value for the two thread, ???

    Anyone is it working on THREADENTRY32 struct ?

Best Regards,
GUAN

[tofu-sensei]

Your definition of THREADENTRY32 is correct, maybe there's some other problem with your code.

[MazeGen]

The new dwSize value is incorrect. If the function would change it, I can imagine values 14h or 18h (since the last two members of the structure are unused). We can help you if you'll post a sample which replicates this problem.

[GUAN DE DIO]

If the Struct is right then I don't know what is wrong in my code or maybe to enum the thread in 64 platform is different than 32 bits, but I don't find nothing about it in the msdn.

I attacht my includes, my radasm proyect and mi masm64.ini for working with RADASM ( I don't know if it is completely necessary). Sorry because the comment in the files are in Spanish.

I use the same way for listing the current processes and heapes and that works correctly. You can see it at Procesos.inc in Comunes folders


The function in charge of enumeration the Threads of a process is that:

***************************************************
; Func is the offset to a callback function
;
;  Callback Prototype LpTE:QWORD  (poiter to a THREADENTRY32 sctruct)
;
;  If the callback returns  0 Stop the enumeration
;                                  1 Continue with the enumeration
;***************************************************
function EnumThread,func:QWORD,ProcID:DWORD

   begin_alloc
      alloc_var hSnapshot:QWORD
      alloc_var te32:THREADENTRY32
   end_alloc

   
    invoke CreateToolhelp32Snapshot,TH32CS_SNAPTHREAD, ProcID   
    @IF <<cmp rax,INVALID_HANDLE_VALUE>>, NOEQUAL?   
   
       mov hSnapshot,rax
          
               
                mov te32.THREADENTRY32.dwSize, sizeof THREADENTRY32
             invoke Thread32First, hSnapshot, addr te32

EnumThread_otro:
                 @IF <<cmp rax,0>>, NOEQUAL?
        
                     xor rax,rax
                     mov eax, te32.THREADENTRY32.th32OwnerProcessID
                     @IF <<cmp eax,ProcID>>,EQUAL?
           
               ;alloc space in the stack for the argument 
                    sub rsp,8*4
                   
                              ;arg 1
                     lea rcx,te32
                   
                              ;calling to the callback function
                     mov rax,func
                     call rax
        
                    ; Free the memory in the stack
                    add rsp,8*4
        
                     ; Test the return for the function
                    cmp rax,0
                     je    EnumThread_FIN  ; If the jump is done the enumeration is finished          
                
                  @ENDIF
                   mov te32.THREADENTRY32.dwSize, sizeof THREADENTRY32
         invoke Thread32Next, hSnapshot, addr te32        
           jmp EnumThread_otro
        @ENDIF

EnumThread_FIN:     

; END
       invoke CloseHandle, hSnapshot
   @ENDIF
exitf

This Function is called when You press the button.

As you can see I use the macros x64calling but modify by me to make it work with wsprinf function and others small bugs that I found.

[attachment deleted by admin]

[GUAN DE DIO]

Those are my includes for the proyect and my init file por use ml64 with RADASM

[attachment deleted by admin]

[GUAN DE DIO]

I have found my mistake.

     The code is right, the problem was in the callback function when I printed the value of the struct using wsprintf and MessageBox.

Thanks
GUAN