Thread32First help vb.net

[abuckau907]

Move to VB Forums?

I'm trying to find tls base by using the NtQueryInformationThread method, but when I call Thread32First it keeps returning nothing..or...the structure I pass to it is unchanged. Code below..

API
Public Declare Function Thread32First Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpte As ThreadEntry32) As Boolean

Public Structure ThreadEntry32
Public dwSize As UInt32
Public cntUsage As UInt32
Public th32ThreadID As UInt32
Public the32OwnerProcessID As UInt32
Public tpBasePri As UInt32
Public tpDeltaPri As UInt32
Public dwFlags As UInt32
Public th32Accesskey As UInt32
Public th32CurrentProcessId As UInt32
End Structure
...code

'TLSSLOTPOINTER = &H135D9FC
Dim TLSSlotNumber As UInt32 = ReadUInt32(wowProcessHandle, TLSSLOTPOINTER)
'How to know if fails, is normally 0 so..
Dim threadSnapshotHandle As IntPtr = IntPtr.Zero
threadSnapshotHandle = CreateToolhelp32Snapshot(4, wowProcessID(0).Id)
Thread32First(threadSnapshotHandle, threadStruct)

I'm 99% sure my problem is in ThreadEntry32 structure..probably the variable types? While debugging, after Thread32First() threadStruct still contains no data (except for .dwsize which was set before the call)


I think this is something basic to do w/ structures I'm messing up :S


PS. I've seen a few example that just have a static address g_clientConnection, and they use that + offset to find the Object Manager..I thought you had to use the whole NTQueryThread w/e to get the TEB base address and go from there, what is this g_clientConnection and how are you finding it each update?