Yoshi Posted November 21, 2013 Share Posted November 21, 2013 (edited) Im trying to invoke ZwCreateThread. But since it is a undocumented function i don't know how to do it. The 7'th arguement of the function is PINITIAL_TEB UserStack.How to initialize this structure to use it in ZwCreateThread? This is my code so far. invoke RtlInitializeContext, -1, Addr threadContext, NULL, Addr ThreadStartupRoutine, Addr userStack invoke ZwCreateThread, Addr processHandle, PROCESS_ALL_ACCESS, Addr oa, -1, Addr ClientId, Addr threadContext, Addr userStack, FALSE Edited November 21, 2013 by Yoshi Link to comment
cypher Posted November 22, 2013 Share Posted November 22, 2013 (edited) the kernel functions Zw* cant be called directly. they dont have exports by design as you are supposed to use the stubs like PsCreateSystemThread calls ZwCreateThread... however you can call them with a "trick", example is for a different Zw* function but easily adoptable: c++: typedef NTSTATUS (*QUERYINFOPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); HANDLE h = GetCurrentProcess(); DWORD debuggerPresent = 0; HMODULE ntdll = GetModuleHandle(_T("Ntdll")); QUERYINFOPROC addr = (QUERYINFOPROC)GetProcAddress(ntdll,"NtQueryInformationProcess"); addr(h, (PROCESSINFOCLASS)DebugTest::PROCESSINFOCLASS::ProcessDebugPort, &debuggerPresent, sizeof(DWORD),NULL);for the UserStack parameter, judged by http://msdn.microsoft.com/en-us/library/windows/hardware/ff559932%28v=vs.85%29.aspx it is optional. Edited November 22, 2013 by cypher Link to comment
Yoshi Posted November 22, 2013 Author Share Posted November 22, 2013 the kernel functions Zw* cant be called directly. Wrong, it can. Also in that case, the userstack is not optional. Link to comment
cypher Posted November 22, 2013 Share Posted November 22, 2013 hm could you explain how and under what circumstances? For the userstack parameter I would trace a call to PsCreateSystemThread down to ZwCreateThread and see what the argument is and where it is set. Link to comment
Yoshi Posted November 22, 2013 Author Share Posted November 22, 2013 I will send you a pm of my project, so you can see what I mean. Link to comment
Yoshi Posted November 23, 2013 Author Share Posted November 23, 2013 Thanks huntingspace! You are awesome Link to comment
cypher Posted November 23, 2013 Share Posted November 23, 2013 could you please post the answer for others? thx! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now