Jump to content
Tuts 4 You
Sign in to follow this  
Yoshi

create thread

Recommended Posts

Yoshi

Im trying to invoke ZwCreateThread. But since it is a undocumented function i don't know how to do it. The 7'th arguement of the function is PINITIAL_TEB  UserStack.


How to initialize this structure to use it in ZwCreateThread?


 


This is my code so far.



invoke RtlInitializeContext, -1, Addr threadContext, NULL, Addr ThreadStartupRoutine, Addr userStack
invoke ZwCreateThread, Addr processHandle, PROCESS_ALL_ACCESS, Addr oa, -1, Addr ClientId, Addr threadContext, Addr userStack, FALSE

Edited by Yoshi (see edit history)

Share this post


Link to post
cypher

the kernel functions Zw* cant be called directly. they dont have exports by design as you are supposed to use the stubs like PsCreateSystemThread calls ZwCreateThread...


 


however you can call them with a "trick", example is for a different Zw* function but easily adoptable:



c++: typedef NTSTATUS (*QUERYINFOPROC) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); HANDLE h = GetCurrentProcess();
DWORD debuggerPresent = 0; HMODULE ntdll = GetModuleHandle(_T("Ntdll"));
QUERYINFOPROC addr = (QUERYINFOPROC)GetProcAddress(ntdll,"NtQueryInformationProcess");
addr(h, (PROCESSINFOCLASS)DebugTest::PROCESSINFOCLASS::ProcessDebugPort, &debuggerPresent, sizeof(DWORD),NULL);

for the UserStack parameter, judged by http://msdn.microsoft.com/en-us/library/windows/hardware/ff559932%28v=vs.85%29.aspx it is optional.


Edited by cypher (see edit history)

Share this post


Link to post
Yoshi

the kernel functions Zw* cant be called directly.

 

Wrong, it can.

 

Also in that case, the userstack is not optional.

Share this post


Link to post
cypher

hm could you explain how and under what circumstances?


 


For the userstack parameter I would trace a call to PsCreateSystemThread down to ZwCreateThread and see what the argument is and where it is set.


Share this post


Link to post
Yoshi

I will send you a pm of my project, so you can see what I mean.


Share this post


Link to post
huntingspace

answered in pm


Share this post


Link to post
Yoshi

Thanks huntingspace! You are awesome  :yahoo:


Share this post


Link to post
cypher

could you please post the answer for others? thx!


Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...