C++/Win32 - How to Iterate specific process's thread list and resolve start address to module?

Question

Please bear in mind that im complete newbie in system programming.

Im trying to do is getting specific process's thread list(Including system process, aka PID 4), and get each thread's PID with Module Name.

ProcessExplorer does this, but im completely clueless that how they does this :(

Any helps, Especially with Code would be appreciated.

I am getting PID by using EnumProcesses (Name to PID) But clueless by how to implement two other required functions.

Answer 1

I remember system process(PID is 4) normal user can't access(even administrator). If you really want analyze system process's info, you need learn something about Windows Kernel Application.

Way to analyze theads in process, the answers of others have been said very clearly.

Answer 2

I cannot speak for ProcessExplorer, but ProcessHacker does a similar thing and I've looked through its source code a couple times.

They approach is simple in theory but requires some effort to implement (resolving the function name can be tricky).

Here's more or less the step by step process:

• Use NtQueryInformationThread to query the thread's start address. (Code here)
• Find which module that address belongs to and loads its symbol file (pdb)
• Now query that symbol file for the name of the function at that address, if one exists. (Code here) If there is no function at that address, they just return the module name and the start address in a pretty way (ModuleName.dll+<startAddress - moduleBase>)

I hope this clears some things up.