From 01690db6300bba7bcdeedbdd3932bf413dcf4f6b Mon Sep 17 00:00:00 2001
From: hasherezade <hasherezade@gmail.com>
Date: Sat, 31 Aug 2024 12:10:32 -0700
Subject: [PATCH] [REFACT] Renamed a function, small refact. Updated ntddk

---
 scanners/scanner.cpp        |  2 +-
 scanners/thread_scanner.cpp |  1 +
 utils/ntddk.h               | 74 ++++++++++++++++++++++++++++---------
 utils/threads_util.cpp      | 25 ++++++-------
 utils/threads_util.h        | 13 +++----
 5 files changed, 76 insertions(+), 39 deletions(-)

diff --git a/scanners/scanner.cpp b/scanners/scanner.cpp
index f73825c5c..cdc3d8246 100644
--- a/scanners/scanner.cpp
+++ b/scanners/scanner.cpp
@@ -497,7 +497,7 @@ size_t pesieve::ProcessScanner::scanThreads(ProcessScanReport& pReport) //throws
 			return 0;
 		}
 	}
-	if (!pesieve::util::query_thread_details(threads_info)) {
+	if (!pesieve::util::query_threads_details(threads_info)) {
 		if (!args.quiet) {
 			std::cout << "[-] Failed quering thread details." << std::endl;
 		}
diff --git a/scanners/thread_scanner.cpp b/scanners/thread_scanner.cpp
index 5479f49cb..2ce2bbd6b 100644
--- a/scanners/thread_scanner.cpp
+++ b/scanners/thread_scanner.cpp
@@ -372,6 +372,7 @@ void pesieve::ThreadScanner::printInfo(const pesieve::util::thread_info& threadi
 	std::cout << std::dec << "TID: " << threadi.tid << "\n";
 	std::cout << std::hex << "\tStart   : ";
 	resolveAddr(threadi.start_addr);
+
 	if (threadi.is_extended) {
 		std::cout << std::hex << "\tSysStart: ";
 		resolveAddr(threadi.ext.sys_start_addr);
diff --git a/utils/ntddk.h b/utils/ntddk.h
index 2ebfbb3b6..870b39df5 100644
--- a/utils/ntddk.h
+++ b/utils/ntddk.h
@@ -2684,24 +2684,64 @@ typedef enum _PROCESSINFOCLASS {
 //
 // Thread Information Classes
 //
-
-typedef enum _THREADINFOCLASS {
-    ThreadBasicInformation,                            // ??
+typedef enum _THREADINFOCLASS
+{
+    ThreadBasicInformation,
     ThreadTimes,
-    ThreadPriority,                                    // ??
-    ThreadBasePriority,                                // ??
-    ThreadAffinityMask,                                // ??
-    ThreadImpersonationToken,                        // HANDLE
-    ThreadDescriptorTableEntry,                        // ULONG Selector + LDT_ENTRY
-    ThreadEnableAlignmentFaultFixup,                // ??
-    ThreadEventPair,                                // ??
-    ThreadQuerySetWin32StartAddress,                // ??
-    ThreadZeroTlsCell,                                // ??
-    ThreadPerformanceCount,                            // ??
-    ThreadAmILastThread,                            // ??
-    ThreadIdealProcessor,                            // ??
-    ThreadPriorityBoost,                            // ??
-    ThreadSetTlsArrayAddress,                        // ??
+    ThreadPriority,
+    ThreadBasePriority,
+    ThreadAffinityMask,
+    ThreadImpersonationToken, // HANDLE
+    ThreadDescriptorTableEntry, // ULONG Selector + LDT_ENTRY
+    ThreadEnableAlignmentFaultFixup,
+    ThreadEventPair,
+    ThreadQuerySetWin32StartAddress,
+    ThreadZeroTlsCell,
+    ThreadPerformanceCount,
+    ThreadAmILastThread,
+    ThreadIdealProcessor,
+    ThreadPriorityBoost,
+    ThreadSetTlsArrayAddress, //
+    ThreadIsIoPending,
+    ThreadHideFromDebugger,
+    ThreadBreakOnTermination,
+    ThreadSwitchLegacyState,
+    ThreadIsTerminated,
+    ThreadLastSystemCall,
+    ThreadIoPriority,
+    ThreadCycleTime,
+    ThreadPagePriority,
+    ThreadActualBasePriority,
+    ThreadTebInformation,
+    ThreadCSwitchMon,
+    ThreadCSwitchPmu,
+    ThreadWow64Context,
+    ThreadGroupInformation,
+    ThreadUmsInformation,
+    ThreadCounterProfiling,
+    ThreadIdealProcessorEx,
+    ThreadCpuAccountingInformation,
+    ThreadSuspendCount,
+    ThreadHeterogeneousCpuPolicy,
+    ThreadContainerId,
+    ThreadNameInformation,
+    ThreadSelectedCpuSets,
+    ThreadSystemThreadInformation,
+    ThreadActualGroupAffinity,
+    ThreadDynamicCodePolicyInfo,
+    ThreadExplicitCaseSensitivity,
+    ThreadWorkOnBehalfTicket,
+    ThreadSubsystemInformation,
+    ThreadDbgkWerReportActive,
+    ThreadAttachContainer,
+    ThreadManageWritesToExecutableMemory,
+    ThreadPowerThrottlingState,
+    ThreadWorkloadClass,
+    ThreadCreateStateChange,
+    ThreadApplyStateChange,
+    ThreadStrongerBadHandleChecks,
+    ThreadEffectiveIoPriority,
+    ThreadEffectivePagePriority,
     MaxThreadInfoClass
 } THREADINFOCLASS;
 
diff --git a/utils/threads_util.cpp b/utils/threads_util.cpp
index 1777f3e84..1719a2fa2 100644
--- a/utils/threads_util.cpp
+++ b/utils/threads_util.cpp
@@ -12,7 +12,7 @@
 namespace pesieve {
 	namespace util {
 
-		bool query_thread_start(IN DWORD tid, OUT ULONGLONG& startAddr)
+		bool query_thread_details(IN DWORD tid, OUT pesieve::util::thread_info& info)
 		{
 			static auto mod = GetModuleHandleA("ntdll.dll");
 			if (!mod) return false;
@@ -24,29 +24,28 @@ namespace pesieve {
 			HANDLE hThread = OpenThread(thAccess, 0, tid);
 			if (!hThread)  return false;
 
+			bool isOk = false;
 			ULONG returnedLen = 0;
-			NTSTATUS status = pNtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &startAddr, sizeof(startAddr), &returnedLen);
-			CloseHandle(hThread);
-
-			if (status != 0 || returnedLen != sizeof(startAddr)) {
-#ifdef _DEBUG
-				std::cerr << "Failed to query thread: " << std::hex << status << "\n";
-#endif
-				return false;
+			LPVOID startAddr = 0;
+			NTSTATUS status = 0;
+			status = pNtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &startAddr, sizeof(LPVOID), &returnedLen);
+			if (status == 0 && returnedLen == sizeof(startAddr)) {
+				info.start_addr = (ULONGLONG)startAddr;
+				isOk = true;
 			}
-			//std::cout << "\tStart: " << std::hex << startAddr;
-			return true;
+			CloseHandle(hThread);
+			return isOk;
 		}
 
 	}; // namespace util
 }; // namespace pesieve
 
 
-bool pesieve::util::query_thread_details(IN OUT std::map<DWORD, pesieve::util::thread_info>& threads_info)
+bool pesieve::util::query_threads_details(IN OUT std::map<DWORD, pesieve::util::thread_info>& threads_info)
 {
 	for (auto itr = threads_info.begin(); itr != threads_info.end(); ++itr) {
 		pesieve::util::thread_info& info = itr->second;
-		if (!query_thread_start(info.tid, info.start_addr)) return false;
+		if (!query_thread_details(info.tid, info)) return false;
 	}
 	return true;
 }
diff --git a/utils/threads_util.h b/utils/threads_util.h
index b9f67f983..cbc0a1277 100644
--- a/utils/threads_util.h
+++ b/utils/threads_util.h
@@ -38,13 +38,10 @@ namespace pesieve {
 			bool is_extended;
 			thread_info_ext ext;
 
-			_thread_info()
-				: tid(0), start_addr(0), is_extended(false)
-			{
-			}
-
-			_thread_info(DWORD _tid)
-				: tid(_tid), start_addr(0), is_extended(false)
+			_thread_info(DWORD _tid = 0)
+				: tid(_tid), 
+				start_addr(0),
+				is_extended(false)
 			{
 			}
 			
@@ -58,7 +55,7 @@ namespace pesieve {
 
 		} thread_info;
 
-		bool query_thread_details(IN OUT std::map<DWORD, thread_info>& threads_info);
+		bool query_threads_details(IN OUT std::map<DWORD, thread_info>& threads_info);
 
 		bool fetch_threads_info(IN DWORD pid, OUT std::map<DWORD, thread_info>& threads_info);