Jump to content
Tuts 4 You

create thread


Recommended Posts

Im trying to invoke ZwCreateThread. But since it is a undocumented function i don't know how to do it. The 7'th arguement of the function is PINITIAL_TEB  UserStack.

How to initialize this structure to use it in ZwCreateThread?


This is my code so far.

invoke RtlInitializeContext, -1, Addr threadContext, NULL, Addr ThreadStartupRoutine, Addr userStack
invoke ZwCreateThread, Addr processHandle, PROCESS_ALL_ACCESS, Addr oa, -1, Addr ClientId, Addr threadContext, Addr userStack, FALSE

Edited by Yoshi
Link to comment

the kernel functions Zw* cant be called directly. they dont have exports by design as you are supposed to use the stubs like PsCreateSystemThread calls ZwCreateThread...


however you can call them with a "trick", example is for a different Zw* function but easily adoptable:

DWORD debuggerPresent = 0; HMODULE ntdll = GetModuleHandle(_T("Ntdll"));
QUERYINFOPROC addr = (QUERYINFOPROC)GetProcAddress(ntdll,"NtQueryInformationProcess");
addr(h, (PROCESSINFOCLASS)DebugTest::PROCESSINFOCLASS::ProcessDebugPort, &debuggerPresent, sizeof(DWORD),NULL);

for the UserStack parameter, judged by http://msdn.microsoft.com/en-us/library/windows/hardware/ff559932%28v=vs.85%29.aspx it is optional.

Edited by cypher
Link to comment

hm could you explain how and under what circumstances?


For the userstack parameter I would trace a call to PsCreateSystemThread down to ZwCreateThread and see what the argument is and where it is set.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...