This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
Advapi32.dll
This DLL provides access to advanced core Windows components such as the Service Manager and Registry.
User32.dll
This DLL contains all the user-interface components, such as buttons, scroll bars, and components for controlling and responding to user actions.
Gdi32.dll
This DLL contains functions for displaying and manipulating graphics.
Ntdll.dll
This DLL is the interface to the Windows kernel. Executables generally do not import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file, it means that the author intended to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
WSock32.dll and Ws2_32.dll
These are networking DLLs. A program that accesses either of these most likely connects to a network or performs network-related tasks.
Wininet.dll
This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP.
Shell32.dll
This DLL can launch other programs.
Advapi32.dll
Provides security calls and functions for manipulating the Windows Registry.
msvcrt.dll
The C standard library for the Visual C++ (MSVC) compiler from version 4.2 to 6.0. It provides programs compiled by these versions of MSVC with most of the standard C library functions. These include string manipulation, memory allocation, C-style input/output calls, and others
rpcrt4.dll
This is a crucial Windows file associated with the Remote Procedure Call (RPC) API, used by applications for network and internet communication
Headers
Header
Description
[[Headers, DLLs and Functions#<stdio.h>|stdio.h]]
It is a Header file basic I/O like printf(), etc.
[[Headers, DLLs and Functions#netinet/ip.h|netinet/ip.h]]
Provides definitions for IP (Internet Protocol) related structures and constants, specifically for IPv4 networking
[[Headers, DLLs and Functions#arpa/inet.h| arpa/inet.h]]
Provides functions for manipulating IP addresses, especially for converting between text (string) and binary formats used in network programming.
[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]
Provides the definitions and functions for using sockets which are used for network communication.
It is a POSIX (Unix standard) header file that gives you access to low-level OS functions, mainly related to I/O, processes, and file descriptors.
[[Headers, DLLs and Functions#windows.h|windows.h]]
<windows.h> is the main Windows API header file used for developing applications on Windows OS. It includes declarations for all core Windows functionality.
[[Headers, DLLs and Functions#stdlib.h|stdlib.h]]
<stdlib.h> is a standard C header that provides general-purpose utility functions, including memory management, random numbers, conversions, and process control.
[[Headers, DLLs and Functions#string.h|string.h]]
<string.h> is the standard C header that provides functions for handling strings and memory blocks.
stdio.h
It is a Header file basic I/O like printf(), etc.
Functions
printf
printf is a C standard library function used to print formatted text to the console (stdout).
Signature:
int printf(const char *format, ...);
Parameters:
format: A format string (e.g., "Value: %d\n")
...: Variable arguments to insert into the format string
Returns:
Number of characters printed, or a negative value on error.
Example:
printf("Hello %s, number = %d\n", "world", 42);
Output:Hello world, number = 42
sys/socket.h
It is a header file that provides the definitions and functions for using sockets which are used for network communication.
Functions
socket()
The socket() function is the starting point for network programming in C/C++. It’s how you create a communication endpoint.
Signature :
int socket(int domain, int type, int protocol);
Parameter
Description
domain
Specifies the protocol family (e.g. AF_INET for IPv4, AF_INET6 for IPv6)
type
Specifies the type of socket (e.g. SOCK_STREAM for TCP, SOCK_DGRAM for UDP)
protocol
Usually 0 (default) which means “Let’s the OS choose the appropriate protocol for the type you chose”.
Example:
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
AF_INET → IPv4
SOCK_STREAM → TCP
0 → Automatically picks TCP for this combo
Return Value:
Success: returns a file descriptor (non-negative int)
Failure: returns -1
connect()
The connect() function is used in socket programming to initiate a connection from a client to a server.
It says: “Hey server, I want to talk to you at this IP and port.” If the server is listening and accepts your connection, you’re now ready to send and receive data.
Signature
int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
Parameter
Description
sockfd
The socket file descriptor returned by [[Headers, DLLs and Functions#socket()|socket]] function.
addr
Pointer to a sockaddr structure containing the server’s IP and port
addrlen
Size of the sockaddr structure (usually sizeof(struct sockaddr_in) for IPv4)
Return Value:
0 on success
-1 on failure → you should check errno or use perror() for details connect() is what a client uses to “call” the server.
Structures
sockaddr
The sockaddr structure is a generic socket address used by socket functions like connect(), bind(), accept(), etc. It acts as a placeholder that can represent any address type (IPv4, IPv6, etc.).
It’s a generic container, so it’s not used directly for setting IP addresses or ports.
Instead, you use a more specific structure (like sockaddr_in(for IPv4),sockaddr_in6(for IPv6) ), then cast its pointer to sockaddr* when passing it to socket functions.
Example :
struct sockaddr_in addr;addr.sin_family = AF_INET;addr.sin_port = htons(8080);inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr);// Pass to connect(), cast to (struct sockaddr*)connect(sockfd, (struct sockaddr*)&addr, sizeof(addr));
netinet/ip.h
It is a C header file that provides definitions for IP (Internet Protocol) related structures and constants, specifically for IPv4 networking.
Structures
sockaddr_in
This structure specifies a transport address and port for the IPv4.
Structure Signature:
struct sockaddr_in { sa_family_t sin_family; // Address family (AF_INET for IPv4) in_port_t sin_port; // Port number (in network byte order) struct in_addr sin_addr; // IP address (in network byte order) // Padding to make struct size same as struct sockaddr unsigned char sin_zero[8];};
Field
Description
sin_family
Always set to AF_INET for IPv4.
sin_port
The port number, which must be in network byte order (use [[Headers, DLLs and Functions#htons()– Host to Network Short|htons()]] to convert in network byte).
sin_addr
A structure of type in_addr that holds the IPv4 address.
sin_zero
Padding field to make sockaddr_in the same size as sockaddr. Not used in practice; just set to zero.
sockaddr_in6
This structure represents a socket address for IPv6.
Signature :
struct sockaddr_in6 { sa_family_t sin6_family; // Address family (AF_INET6) in_port_t sin6_port; // Port number (network byte order) uint32_t sin6_flowinfo; // Flow information (usually 0) struct in6_addr sin6_addr; // IPv6 address uint32_t sin6_scope_id; // Scope ID (for link-local addresses)};
Field
Description
sin6_family
Always set to AF_INET6 for IPv6.
sin6_port
Port number (use [[Headers, DLLs and Functions#htons()– Host to Network Short|htons()]] to convert to network byte order).
Used to specify interface for link-local addresses (e.g., fe80::...). Set to 0 otherwise.
in_addr
The in_addr structure represents a single IPv4 address. It is used within sockaddr_in and other network functions that deal specifically with IP addresses.
s6_addr is an array of 16 bytes = 128 bits (standard IPv6 address size).
It holds the IP address in network byte order (big-endian).
Use inet_pton() function to convert from string to binary format.
arpa/inet.h
It is a C header file that provides functions for manipulating IP addresses, especially for converting between text (string) and binary formats used in network programming.
Functions
inet_aton()
Converts an IPv4 address string (e.g., "192.168.1.1") to binary format and stores it in a struct in_addr.
Used only for IPv4.
Returns non-zero on success, 0 on failure.
Non-standard on Windows (not portable across platforms).
int inet_aton(const char *cp, struct in_addr *inp);
Parameters:
Parameter
Type
Description
cp
const char*
The IPv4 address in string format, e.g. "192.168.1.1"
inp
struct in_addr*
Pointer to a structin_addr where the binary address will be stored
These functions convert values from the host’s byte order (which might be little-endian) to network byte order (which is always big-endian).
Different computers use different endianness:
Little-endian (e.g., x86/x64 CPUs): least significant byte comes first
Big-endian: most significant byte comes first
But network protocols (like TCP/IP) always use big-endian format, so if your CPU is little-endian (which most are), you need to convert numbers before sending them.
Common hton and ntoh Functions
Function
Use Case
Input Type
Converts From → To
htons
Port numbers
uint16_t
Host → Network (16-bit)
htonl
IP addresses
uint32_t
Host → Network (32-bit)
ntohs
Received port numbers
uint16_t
Network → Host (16-bit)
ntohl
Received IP addresses
uint32_t
Network → Host (32-bit)
htons()– Host to Network Short
uint16_t htons(uint16_t hostshort);
Converts a 16-bit integer (e.g., a port number) from host byte order to network byte order.
htonl()– Host to Network Long
uint32_t htonl(uint32_t hostlong);
Converts a 32-bit integer (e.g., an IPv4 address) from host byte order to network byte order.
ntohs()– Network to Host Short
uint16_t htons(uint16_t hostshort);
Converts a 16-bit integer (e.g., a port number) from Network byte order to Host byte order.
ntohl()– Network to Host Long
uint32_t htonl(uint32_t hostlong);
Converts a 32-bit integer (e.g., an IPv4 address) from Network byte order to Host byte order.
unistd.h
It is a POSIX (Unix standard) header file that gives you access to low-level OS functions, mainly related to I/O, processes, and file descriptors.
Functions
dup2()
dup2() is a system call that duplicates one file descriptor to another.
Signature:
int dup2(int oldfd, int newfd);
Parameter
Description
oldfd
The original file descriptor you want to duplicate (e.g., a socket, file, etc.)
newfd
The file descriptor you want to overwrite or redirect to point to oldfd
Makes newfd refer to the same open file (or socket) as oldfd.
If newfd is already open, it will be closed first automatically.
oldfd and newfd will both now refer to the same underlying resource, but are still separate file descriptors.
<windows.h> is the main Windows API header file used for developing applications on Windows OS. It includes declarations for all core Windows functionality.
Functions
VirtualAlloc
VirtualAlloc is a Windows API function used to allocate memory pages directly from the system’s virtual memory.
VirtualProtect is a Windows API function used to change the protection (read, write, execute permissions) of a region of memory that your program owns.
Pointer to the starting address of the memory region
dwSize
SIZE_T
Number of bytes to change protection for
flNewProtect
DWORD
New protection flags (e.g., PAGE_EXECUTE_READWRITE)
lpflOldProtect
PDWORD
Pointer to a variable that receives the previous protection value
Common Protection Flags :
Flag
Meaning
PAGE_READONLY
Read-only
PAGE_READWRITE
Read and write
PAGE_EXECUTE
Execute only
PAGE_EXECUTE_READ
Execute and read
PAGE_EXECUTE_READWRITE
Execute, read, and write (used for shellcode)
PAGE_NOACCESS
Cannot access at all
Example:
#include <windows.h>#include <stdio.h>int main() { unsigned char code[] = { 0x90, 0x90, 0xC3 }; // NOP, NOP, RET (safe test shellcode) DWORD oldProtect; BOOL result = VirtualProtect( code, // memory address sizeof(code), // size PAGE_EXECUTE_READWRITE, // new protection &oldProtect // save old protection ); if (result) { printf("Memory protection changed.\n"); ((void(*)())code)(); // Call the shellcode } else { printf("VirtualProtect failed: %lu\n", GetLastError()); } return 0;}
CreateThread
CreateThread is a Windows API function used to create a new thread in your process. It’s one of the most direct ways to launch concurrent execution in Windows.
This waits for the thread to finish before continuing, ensuring synchronization.
OpenProcess
OpenProcess is a Windows API function that opens a handle to a running process using its process ID (PID) for further operations like reading memory or injecting code.
<stdlib.h> is a standard C header that provides general-purpose utility functions, including memory management, random numbers, conversions, and process control.
Functions
atoi
atoi (ASCII to Integer) is a C standard library function that converts a string to an int.
Signature :
int atoi(const char *str);
Parameters:
str: A C-style string (null-terminated) representing a number (e.g., "42")
Returns:
The converted int value of the string.
If the string is invalid or doesn’t start with a number, it returns 0 (no error indication!).
Example:
int num = atoi("123"); // num = 123
string.h
<string.h> is the standard C header that provides functions for handling strings and memory blocks.
tlhelp32.h
<tlhelp32.h> is a Windows header file that provides declarations for Tool Help Library functions, used to take snapshots of the system’s process, thread, module, and heap states.
Link against Kernel32.lib.
Functions
Structures
PROCESSENTRY32
The PROCESSENTRY32 structure is a Windows API data structure used with functions like Process32First() and Process32Next() to describe a process entry retrieved from a system snapshot.
The special function where the program starts running.
[[Headers, DLLs and Functions#OpenProcess|OpenProcess()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
A Windows API function → It opens an existing process and gives you a handle to it.
[[Headers, DLLs and Functions#VirtualAlloc|VirtualAlloc]] and [[Headers, DLLs and Functions#VirtualAllocEx|VirtualAllocEx]]
[[Headers, DLLs and Functions#windows.h|windows.h]] , kernel32.lib, kernel32.dll
- [[Headers, DLLs and Functions#VirtualAlloc|VirtualAlloc]] Allocates memory inside the process that’s running the code (yourself). - [[Headers, DLLs and Functions#VirtualAllocEx|VirtualAllocEx]] allocates memory inside another process.
[[Headers, DLLs and Functions#CreateThread|CreateThread()]] and [[Headers, DLLs and Functions#CreateRemoteThread|CreateRemoteThread()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
- [[Headers, DLLs and Functions#CreateThread|CreateThread()]] creates a thread in your own process. - [[Headers, DLLs and Functions#CreateRemoteThread|CreateRemoteThread()]] creates a thread in a different(remote) process.
CreateToolhelp32Snapshot
thelp32.h
Captures a snapshot of the system’s processes, threads, modules, or heaps at a particular point in time.
Process32Firstand Process32Next
thelp32.h
Used to iterate through the list of processes in the snapshot.
Thread32Firstand Thread32Next
thelp32.h
Used to enumerate threads in a snapshot.
Module32First and Module32Next
thelp32.h
Used to enumerate the modules (DLLs or EXEs) loaded by a process.
GetModuleHandle
Used to get the handle of loaded module(DLL) inside the current process.
GetProcAddress
Used to find the memory address of function
[[Headers, DLLs and Functions#socket()|socket()]]
[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]
It is the starting point for network programming in C/C++. It’s how you create a communication endpoint.
[[Headers, DLLs and Functions#connect()|connect()]]
[[Headers, DLLs and Functions#sys/socket.h|sys/socket.h]]
The connect() function is used in socket programming to initiate a connection from a client to a server.
[[Headers, DLLs and Functions#inet_aton()|inet_aton()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts an IPv4 address string (e.g., "192.168.1.1") to binary format and stores it in a struct in_addr
[[Headers, DLLs and Functions#inet_pton()|inet_pton()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts both IPv4 or IPv6 address string to binary format and stores it in a in_addr or in6_addr structure respectively.
[[Headers, DLLs and Functions#htonl()– Host to Network Long|htons()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts a 16-bit integer (e.g., a port number) from host byte order to network byte order.
[[Headers, DLLs and Functions#htonl()– Host to Network Long|htonl()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts a 32-bit integer (e.g., an IPv4 address) from host byte order to network byte order.
[[Headers, DLLs and Functions#ntohs()– Network to Host Short|ntohs()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts a 16-bit integer (e.g., a port number) from Network byte order to Host byte order.
[[Headers, DLLs and Functions#ntohl()– Network to Host Long|ntohl()]]
[[Headers, DLLs and Functions#arpa/inet.h|arpa/inet.h]]
Converts a 32-bit integer (e.g., an IPv4 address) from Network byte order to Host byte order.
[[Headers, DLLs and Functions#dup2()|dup2()]]
[[Headers, DLLs and Functions#unistd.h|uniistd.h]]
Duplicates one file descriptor to another.
[[Headers, DLLs and Functions#execve()|execve()]]
[[Headers, DLLs and Functions#unistd.h|uniistd.h]]
Used to replace the current running process with a new program.
[[Headers, DLLs and Functions#RtlMoveMemory|RtlMoveMemory()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
Used to copy memory blocks in same process.
[[Headers, DLLs and Functions#WriteProcessMemory|WriteMemoryProcess()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
Used to copy memory blocks in remote process using PID.
[[Headers, DLLs and Functions#VirtualProtect|VirtualProtect()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
Used to change the protection (read, write, execute permissions) of a region of memory that your program owns.
[[Headers, DLLs and Functions#WaitForSingleObject|WaitForSingleObject()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
Function that pauses the calling thread until the specified object is signaled or a timeout occurs.
[[Headers, DLLs and Functions#CloseHandle|CloseHandle()]]
[[Headers, DLLs and Functions#windows.h|windows.h]]
Used to release system resources associated with handles (like processes, threads, files, etc.)
When you run a compiled C program, the operating system calls the main() function always first. It’s where your program starts executing.
sizeof()
sizeof is a compile-time operator in C/C++ that returns the size (in bytes) of a data type or variable.
Signature:
sizeof(type)sizeof(variable)
Returns:
The number of bytes required to store the data type or variable.
The result is of type size_t (an unsigned integer).
Note
sizeof is evaluated at compile time, not runtime.
For dynamically allocated memory (malloc), sizeof is not useful on the pointer.
strcmp
strcmp stands for string compare, and it’s a function from the C standard library used to compare two C-style strings (null-terminated char arrays).
Signature:
int strcmp(const char *str1, const char *str2);
Return :
Return Value
Meaning
0
The strings are equal.
< 0
str1 is less thanstr2.
> 0
str1 is greater thanstr2.
Compares each character of str1 and str21lexicographically (ASCII value).
Stops when:
Characters differ, or
A null character \0 is encountered (end of string).
Example:
Character
ASCII Value
'A'
65
'B'
66
'a'
97
'b'
98
strcmp("apple", "banana");
Compare 'a' vs 'b' → 'a' < 'b' → "apple" is less than"banana".
strcmp("cat", "car");
'c' = 'c'
'a' = 'a'
't' > 'r' → "cat" is greater than"car"
strcmp("Apple", "apple"); // Returns < 0
Because 'A' (65) < 'a' (97), even though they’re the same letter.
NOTE
It is case-sensitive.
strcmp("abc", "ABC") ≠ 0
If you want case-insensitive comparison, use:
stricmp() on Windows (_stricmp)
strcasecmp() on POSIX
THREADENTRY32
The THREADENTRY32 structure in Windows is used with the Tool Help Library to retrieve information about threads running in the system. It is primarily used with functions like Thread32First and Thread32Next when you’re taking a snapshot of the system’s threads (using CreateToolhelp32Snapshot with TH32CS_SNAPTHREAD).
Signature :
typedef struct tagTHREADENTRY32 { DWORD dwSize; DWORD cntUsage; DWORD th32ThreadID; DWORD th32OwnerProcessID; LONG tpBasePri; LONG tpDeltaPri; DWORD dwFlags;} THREADENTRY32;
Member
Description
dwSize
Size of the structure in bytes. Must be set before calling [[Headers, DLLs and Functions#Thread32First|Thread32First]].
cntUsage
Reserved. Not used in Windows; ignore.
th32ThreadID
Unique thread ID.
th32OwnerProcessID
Process ID of the process that owns this thread.
tpBasePri
Base priority of the thread.
tpDeltaPri
Priority delta from the base.
dwFlags
Reserved. Not used in Windows; ignore.
Example :
THREADENTRY32 te;te.dwSize = sizeof(THREADENTRY32);HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);if (Thread32First(hThreadSnap, &te)) { do { if (te.th32OwnerProcessID == targetPID) { printf("Found thread ID: %lu\n", te.th32ThreadID); } } while (Thread32Next(hThreadSnap, &te));}
Thread32First
Thread32First is a Windows API function used to retrieve information about the first thread in a system snapshot created with CreateToolhelp32Snapshot(). It works hand-in-hand with Thread32Next to loop through all threads currently running on the system.
Handle to a snapshot of the system (created using [[Headers, DLLs and Functions#CreateToolhelp32Snapshot|CreateToolhelp32Snapshot()]] with TH32CS_SNAPTHREAD).
lpte
Pointer to a [[Headers, DLLs and Functions#THREADENTRY32|THREADENTRY32]] structure. You must initialize lpte.dwSize to sizeof(THREADENTRY32) before calling.
Return :
Returns nonzero (TRUE) if successful (i.e., a thread entry is found).
Returns 0 (FALSE) if the function fails or no threads are found. Use GetLastError() to get more info on failure.
The CONTEXT structure is defined in the Windows API and is used to represent the complete CPU state of a thread. You use it with GetThreadContext() and to inspect or modify a thread’s execution.
Signature :
typedef struct _CONTEXT { DWORD64 P1Home; DWORD64 P2Home; DWORD64 P3Home; DWORD64 P4Home; DWORD64 P5Home; DWORD64 P6Home; DWORD ContextFlags; // Must be set before using GetThreadContext or SetThreadContext DWORD MxCsr; WORD SegCs; WORD SegDs; WORD SegEs; WORD SegFs; WORD SegGs; WORD SegSs; DWORD EFlags; // General Purpose Registers DWORD64 Rax; DWORD64 Rcx; DWORD64 Rdx; DWORD64 Rbx; DWORD64 Rsp; DWORD64 Rbp; DWORD64 Rsi; DWORD64 Rdi; DWORD64 R8; DWORD64 R9; DWORD64 R10; DWORD64 R11; DWORD64 R12; DWORD64 R13; DWORD64 R14; DWORD64 R15; // Control Registers DWORD64 Rip; // Floating Point / Debug / Vector registers (omitted here for brevity) // ... (there’s more: XMM registers, debug registers, etc.)} CONTEXT, *PCONTEXT;
The GetThreadContext() function retrieves the context (CPU register values) of a specific thread. It’s essential when you want to inspect or modify where a thread is or what it’s doing, especially useful in process/thread injection, debugging, and hooking.
Signature :
BOOL GetThreadContext( HANDLE hThread, // handle to the target thread LPCONTEXT lpContext // pointer to CONTEXT structure);
Parameter
Description
hThread
Handle to the thread (opened with THREAD_GET_CONTEXT or THREAD_ALL_ACCESS)
lpContext
Pointer to a [[Headers, DLLs and Functions#CONTEXT|CONTEXT]] structure. You must set ContextFlags before the call to indicate what parts of the context you’re interested in.
Return :
Returns TRUE on success
Returns FALSE on failure — use GetLastError() to get details
NOTE
Before calling GetThreadContext, you must set:
ctx.ContextFlags = CONTEXT_FULL; // or another appropriate flag
If you don’t set ContextFlags, the function may fail or return incomplete data.
SetThreadContext()modifies the register values (context) of a specified thread. It’s commonly used in process/thread injection, especially to redirect execution flow (e.g., to shellcode).
Pointer to a CONTEXT structure containing the new register values. You must set the ContextFlags field to indicate which parts you’re modifying.
Example :
CONTEXT ctx;ctx.ContextFlags = CONTEXT_FULL;SuspendThread(hThread); // pause the threadGetThreadContext(hThread, &ctx); // get current register statectx.Rip = (DWORD_PTR)remoteShellcode; // set new instruction pointer (x64)SetThreadContext(hThread, &ctx); // update thread to start executing shellcodeResumeThread(hThread); // resume the hijacked thread
Requirements
Requirement
Value
Thread must be
Suspended
Access rights needed
THREAD_SET_CONTEXT or THREAD_ALL_ACCESS
ContextFlags
Must be set before the call (CONTEXT_FULL, etc.)
OpenThread
The OpenThread function allows you to obtain a handle to an existing thread, given its Thread ID and desired access rights.
Thread32Next is used to enumerate threads in a system snapshot, usually after calling Thread32First. It’s often used to iterate through all threads in the system or in a specific process.
Handle to a snapshot created by CreateToolhelp32Snapshot, with TH32CS_SNAPTHREAD flag.
lpte
LPTHREADENTRY32
Pointer to a THREADENTRY32 structure that receives info about the next thread.
🔹 Return Value
Returns TRUE if successful (i.e., more threads exist).
Returns FALSE when there are no more threads or an error occurs. Use GetLastError() to check.
🔸 Usage Pattern
You typically use it like this:
THREADENTRY32 te32;te32.dwSize = sizeof(THREADENTRY32);HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);if (Thread32First(hSnapshot, &te32)) { do { printf("Thread ID: %u in process %u\n", te32.th32ThreadID, te32.th32OwnerProcessID); } while (Thread32Next(hSnapshot, &te32));}CloseHandle(hSnapshot);
📌 Required Header
#include <tlhelp32.h>#include <windows.h>
📦 Required Library
Linked automatically with Kernel32.lib.
🧠 One-Line Summary
Thread32Next continues enumerating threads from a system snapshot, helping you loop through all active threads on the system or in a specific process.
Let me know if you also want to filter threads by process or use it for process injection scenarios.
Footnotes
Lexicographically means dictionary order, just like how words are sorted in a dictionary.
In computer terms, it means comparing strings character by character using their ASCII (or Unicode) values. ↩
