Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to get THREADSTACK0 real address of x64 process in C++

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
glf4k
How do I cheat?
Reputation: 0

Joined: 05 Feb 2018
Posts: 7

PostPosted: Sat Mar 20, 2021 6:23 pm    Post subject: How to get THREADSTACK0 real address of x64 process in C++ Reply with quote

Hello,
Can anyone help me get real address of THREADSTACK0 (x64) using C++, please?

I've tried to use this GitHub logic which only works on 32bit processes:
github - cheatengine-threadstack-finder
and also the information from this thread:
5487976

According to the algorithm from the GitHub project, I managed to list all thread Ids of my process and corresponding TebBaseAddresses from NtQueryInformationThread.

Then I tried to get the second pointer of the struct where the TebBaseAddress points to:


DWORD64 ptrs[2];
ReadProcessMemory(hProcess, tbi.TebBaseAddress, ptrs, 16, nullptr);

DWORD64 stackTop = ptrs[1];

But the stackTop address is not the correct one which Cheat Engne shows (but it has a non 0 value). Also,

MODULEINFO mi;
HMODULE moduleHandle = GetModuleHandle(L"kernel32.dll");
GetModuleInformation(processHandle, moduleHandle, &mi, sizeof(mi));
for some reasons returns 0xccc for all addresses of mi struct.

The original algorithm for 32bit did something with "ExitThread" and I have not idea what it supposed to do.

Can anyone point me to the right direction? I obviously have not idea what am I doing.
Thanks in advance!
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 179

Joined: 25 Jan 2006
Posts: 8238
Location: 127.0.0.1

PostPosted: Sat Mar 20, 2021 8:15 pm    Post subject: Reply with quote

You can check how CE is doing it here:
https://github.com/cheat-engine/cheat-engine/blob/c97e0a9c0e895a05db3806f451393bdcad156b3c/Cheat%20Engine/CEFuncProc.pas#L3555

It's fairly straightforward and should be easy enough to understand to port it from Delphi to C++. (Be mindful of the parts that are specifically handling 64bit vs. 32bit.)

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites