Get start address of current thread

I'm trying to figure out how to get the entry point of the current thread(I only need to read it).

I tried reading RCX from RtlCaptureContext but this doesn't give me an address that contains the start address of the thread.

I know there's the NtQueryThreadInformation function but I'd like to know if there's any better way to do it internally as I'd like to avoid using an undocumented function.

1 answer

  • answered 2018-07-11 02:57 Jason

    Unfortunately NtQueryInformationThread is the only way to obtain that information when you pass ThreadQuerySetWin32StartAddress as an argument. The reason for this is that the Win32StartAddress is contained in the kernel data structure that represents the thread object (ETHREAD). NtQueryInformationThread requests that information from the structure and outputs it.

    You can monitor the creation of future threads though with a hook to RtlUserThreadStart. This is where the thread begins its execution and is also a callback from kernel-mode for when a thread is created in the process. The accumulator register contains the initial address of execution specified in the argument for creating a thread. For example, say there is a subroutine called "begin".

    CreateThread(NULL, NULL, begin, NULL, NULL, NULL);
    

    The EAX (accumulator) register will contain the address of "begin" if you hook RtlUserThreadStart.

    This is the signature for the routine you would need to hook if you do not use NtQueryInformationThread:

    void RtlUserThreadStart(PTHREAD_START_ROUTINE BaseExecutionAddress, PVOID Context);
    

    There is no documented way by Microsoft for obtaining this information from user-mode though.