Im trying to invoke ZwCreateThread. But since it is a undocumented function i don't know how to do it. The 7'th arguement of the function is PINITIAL_TEB  UserStack.

How to initialize this structure to use it in ZwCreateThread?


This is my code so far.

invoke RtlInitializeContext, -1, Addr threadContext, NULL, Addr ThreadStartupRoutine, Addr userStack
invoke ZwCreateThread, Addr processHandle, PROCESS_ALL_ACCESS, Addr oa, -1, Addr ClientId, Addr threadContext, Addr userStack, FALSE

the kernel functions Zw* cant be called directly. they dont have exports by design as you are supposed to use the stubs like PsCreateSystemThread calls ZwCreateThread...


however you can call them with a "trick", example is for a different Zw* function but easily adoptable:

DWORD debuggerPresent = 0; HMODULE ntdll = GetModuleHandle(_T("Ntdll"));
QUERYINFOPROC addr = (QUERYINFOPROC)GetProcAddress(ntdll,"NtQueryInformationProcess");
addr(h, (PROCESSINFOCLASS)DebugTest::PROCESSINFOCLASS::ProcessDebugPort, &debuggerPresent, sizeof(DWORD),NULL);

for the UserStack parameter, judged by http://msdn.microsoft.com/en-us/library/windows/hardware/ff559932%28v=vs.85%29.aspx it is optional.

hm could you explain how and under what circumstances?


For the userstack parameter I would trace a call to PsCreateSystemThread down to ZwCreateThread and see what the argument is and where it is set.

