NtQueryInformationThread always fails in my code?

Question

I want to retrieve a process's thread's start address using a process ID and thread ID.
here is my code:

DWORD WINAPI GetThreadStartAddress(DWORD tid, DWORD pid)
{

 NTSTATUS ntStatus;

 HANDLE hDupHandle;

 DWORD dwStartAddress;

 HANDLE hProcess;

HANDLE hTread;

pNtQIT NtQueryInformationThread;

hTread = OpenThread(THREAD_ALL_ACCESS, FALSE, tid);

NtQueryInformationThread = (pNtQIT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationThread");

if(NtQueryInformationThread == NULL)
    return 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
SuspendThread(hTread);
if(!DuplicateHandle(hProcess, hTread, hProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){

    SetLastError(ERROR_ACCESS_DENIED);

    return 0;

}

ntStatus = NtQueryInformationThread(hDupHandle, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD), NULL);
ResumeThread(hTread );
CloseHandle(hTread);
CloseHandle(hProcess);

CloseHandle(hDupHandle);



if (ntStatus != 0)
    return 0;

return dwStartAddress;

}

but ntStatus is always not 0. Why?

Answer 1

OpenThread & OpenProcess may fail (especially due to insufficient privileges). You need to make sure you have valid handles before you call NtQueryInformationThread.

Answer 2

Assuming that pid points to the process you're trying to get information about, you're creating hDupHandle in the context of that remote process rather than your own. Your own process might or might not have a handle with the same numeric value, but it isn't the one you intended to use.

Also, for the same reason, you're duplicating a random handle from the remote process rather than the handle you got from OpenThread.

The call to DuplicateHandle should be

DuplicateHandle(GetCurrentProcess(), hTread, GetCurrentProcess(), &hDupHandle, 
  THREAD_QUERY_INFORMATION, FALSE, 0)

although I don't know why you're duplicating the handle in the first place rather than just using it directly.