Hi all,

If a certain thread is attached or injected in explorer.exe and I wanna get a virtual address of the thread, what to do in soft-ice or some other debugger?

I used a thread command within soft-ice, but it just showed me a TID & accetra.

I couldn't know which TID is matched with the thread what I want to debug.

Thank you for reading my question and forgive my poor english, cos I'm a not native speaker of English.

If you can't understand my point, plz feel free to let me know.

could you clarify what you mean by "get a virtual address of the thread"

I assume he means the thread entry point, which would be useful when detecting injected threads in applications... There is a new API in Windows Server 2003 to get this info, but sadly, they say that if you don't execute the API right after the thread is created (i.e. in a debugger, responding to the thread creation event), the returned info is "undefined". This makes me suspect that this info is not stored internally once the thread has started executing...

Does anyone know if this info is stored in any undocumented data structures, to be acquired anytime during the lifetime of the thread?

delta, afaik, the start-address is not stored anywhere

dive2code, i would recommend doing a global hook on CreateRemoteThread, so that you can see lpStartAddress's

Hi doug, dELTA, disavowed,

Thank you for your replies.

To doug : yes I mean a entry point. sorry for not enough explanation

CreateRemoteThread may be work in my case. I guess

I would try.

thanks again