Im trying to invoke ZwCreateThread. But since it is a undocumented function i don't know how to do it. The 7'th arguement of the function is PINITIAL_TEB  UserStack.

How to initialize this structure to use it in ZwCreateThread?

 

This is my code so far.

invoke RtlInitializeContext, -1, Addr threadContext, NULL, Addr ThreadStartupRoutine, Addr userStack

invoke ZwCreateThread, Addr processHandle, PROCESS_ALL_ACCESS, Addr oa, -1, Addr ClientId, Addr threadContext, Addr userStack, FALSE

Edited November 21, 201311 yr by Yoshi

the kernel functions Zw* cant be called directly. they dont have exports by design as you are supposed to use the stubs like PsCreateSystemThread calls ZwCreateThread...

 

however you can call them with a "trick", example is for a different Zw* function but easily adoptable:

c++:
typedef NTSTATUS (*QUERYINFOPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); 
HANDLE h = GetCurrentProcess();

DWORD debuggerPresent = 0;
HMODULE ntdll = GetModuleHandle(_T("Ntdll"));

QUERYINFOPROC addr = (QUERYINFOPROC)GetProcAddress(ntdll,"NtQueryInformationProcess");

addr(h, (PROCESSINFOCLASS)DebugTest::PROCESSINFOCLASS::ProcessDebugPort, &debuggerPresent, sizeof(DWORD),NULL);

for the UserStack parameter, judged by http://msdn.microsoft.com/en-us/library/windows/hardware/ff559932%28v=vs.85%29.aspx it is optional.

Edited November 22, 201311 yr by cypher

the kernel functions Zw* cant be called directly.

 

Wrong, it can.

 

Also in that case, the userstack is not optional.

hm could you explain how and under what circumstances?

 

For the userstack parameter I would trace a call to PsCreateSystemThread down to ZwCreateThread and see what the argument is and where it is set.

I will send you a pm of my project, so you can see what I mean.

answered in pm

Thanks huntingspace! You are awesome 

could you please post the answer for others? thx!