64,637
社区成员
发帖
与我相关
我的任务
分享线程加载DLL RtlCreateUserThread
使用RtlCreateUserThread创建的线程一切正常, 但是在创建的线程中调用WSAStartup总是失败(错误ID:10106, 说明:无法加载或初始化请求的服务提供程序。), 如果在创建的线程外部调用WSAStartup或者使用CreateThread来创建线程的话就没有问题, 如此何解?
有答案再加分, 不浪费.
有答案再加分, 不浪费.
...全文
请发表友善的回复…
发表回复
RLib 2012-02-25
- 打赏
- 举报
感冒得严重。。。唉
Lactoferrin 2012-02-21
- 打赏
- 举报
HANDLE
APIENTRY
CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
DWORD dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES Obja;
POBJECT_ATTRIBUTES pObja;
HANDLE Handle;
CONTEXT ThreadContext;
INITIAL_TEB InitialTeb;
CLIENT_ID ClientId;
ULONG i;
#if !defined(BUILD_WOW6432)
BASE_API_MSG m;
PBASE_CREATETHREAD_MSG a = (PBASE_CREATETHREAD_MSG)&m.u.CreateThread;
#endif
#if defined(WX86) || defined(_AXP64_)
BOOL bWx86 = FALSE;
HANDLE Wx86Info;
PWX86TIB Wx86Tib;
#endif
//
// Allocate a stack for this thread in the address space of the target
// process.
//
Status = BaseCreateStack(
hProcess,
dwStackSize,
0L,
&InitialTeb
);
if ( !NT_SUCCESS(Status) ) {
BaseSetLastNTError(Status);
return NULL;
}
//
// Create an initial context for the new thread.
//
BaseInitializeContext(
&ThreadContext,
lpParameter,
(PVOID)lpStartAddress,
InitialTeb.StackBase,
BaseContextTypeThread
);
pObja = BaseFormatObjectAttributes(&Obja,lpThreadAttributes,NULL);
Status = NtCreateThread(
&Handle,
THREAD_ALL_ACCESS,
pObja,
hProcess,
&ClientId,
&ThreadContext,
&InitialTeb,
TRUE
);
if (!NT_SUCCESS(Status)) {
BaseFreeThreadStack(hProcess,NULL, &InitialTeb);
BaseSetLastNTError(Status);
return NULL;
}
try {
#if defined(WX86) || defined(_AXP64_)
//
// Check the Target Processes to see if this is a Wx86 process
//
Status = NtQueryInformationProcess(hProcess,
ProcessWx86Information,
&Wx86Info,
sizeof(Wx86Info),
NULL
);
if (!NT_SUCCESS(Status)) {
leave;
}
Wx86Tib = (PWX86TIB)NtCurrentTeb()->Vdm;
//
// if Wx86 process, setup for emulation
//
if ((ULONG_PTR)Wx86Info == sizeof(WX86TIB)) {
//
// create a WX86Tib and initialize it's Teb->Vdm.
//
Status = BaseCreateWx86Tib(hProcess,
Handle,
(ULONG)((ULONG_PTR)lpStartAddress),
dwStackSize,
0L,
(Wx86Tib &&
Wx86Tib->Size == sizeof(WX86TIB) &&
Wx86Tib->EmulateInitialPc)
);
if (!NT_SUCCESS(Status)) {
leave;
}
bWx86 = TRUE;
}
else if (Wx86Tib && Wx86Tib->EmulateInitialPc) {
//
// if not Wx86 process, and caller wants to call x86 code in that
// process, fail the call.
//
Status = STATUS_ACCESS_DENIED;
leave;
}
#endif // WX86
//
// Call the Windows server to let it know about the
// process.
//
if ( !BaseRunningInServerProcess ) {
#if defined(BUILD_WOW6432)
Status = CsrBasepCreateThread(Handle,
ClientId
);
#else
a->ThreadHandle = Handle;
a->ClientId = ClientId;
CsrClientCallServer( (PCSR_API_MSG)&m,
NULL,
CSR_MAKE_API_NUMBER( BASESRV_SERVERDLL_INDEX,
BasepCreateThread
),
sizeof( *a )
);
Status = m.ReturnValue;
#endif
}
else {
if (hProcess != NtCurrentProcess()) {
CSRREMOTEPROCPROC ProcAddress;
ProcAddress = (CSRREMOTEPROCPROC)GetProcAddress(
GetModuleHandleA("csrsrv"),
"CsrCreateRemoteThread"
);
if (ProcAddress) {
Status = (ProcAddress)(Handle, &ClientId);
}
}
}
if (!NT_SUCCESS(Status)) {
Status = (NTSTATUS)STATUS_NO_MEMORY;
}
else {
if ( ARGUMENT_PRESENT(lpThreadId) ) {
*lpThreadId = HandleToUlong(ClientId.UniqueThread);
}
if (!( dwCreationFlags & CREATE_SUSPENDED) ) {
NtResumeThread(Handle,&i);
}
}
}
finally {
if (!NT_SUCCESS(Status)) {
BaseFreeThreadStack(hProcess,
Handle,
&InitialTeb
);
NtTerminateThread(Handle, Status);
NtClose(Handle);
BaseSetLastNTError(Status);
Handle = NULL;
}
}
return Handle;
}
APIENTRY
CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
DWORD dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES Obja;
POBJECT_ATTRIBUTES pObja;
HANDLE Handle;
CONTEXT ThreadContext;
INITIAL_TEB InitialTeb;
CLIENT_ID ClientId;
ULONG i;
#if !defined(BUILD_WOW6432)
BASE_API_MSG m;
PBASE_CREATETHREAD_MSG a = (PBASE_CREATETHREAD_MSG)&m.u.CreateThread;
#endif
#if defined(WX86) || defined(_AXP64_)
BOOL bWx86 = FALSE;
HANDLE Wx86Info;
PWX86TIB Wx86Tib;
#endif
//
// Allocate a stack for this thread in the address space of the target
// process.
//
Status = BaseCreateStack(
hProcess,
dwStackSize,
0L,
&InitialTeb
);
if ( !NT_SUCCESS(Status) ) {
BaseSetLastNTError(Status);
return NULL;
}
//
// Create an initial context for the new thread.
//
BaseInitializeContext(
&ThreadContext,
lpParameter,
(PVOID)lpStartAddress,
InitialTeb.StackBase,
BaseContextTypeThread
);
pObja = BaseFormatObjectAttributes(&Obja,lpThreadAttributes,NULL);
Status = NtCreateThread(
&Handle,
THREAD_ALL_ACCESS,
pObja,
hProcess,
&ClientId,
&ThreadContext,
&InitialTeb,
TRUE
);
if (!NT_SUCCESS(Status)) {
BaseFreeThreadStack(hProcess,NULL, &InitialTeb);
BaseSetLastNTError(Status);
return NULL;
}
try {
#if defined(WX86) || defined(_AXP64_)
//
// Check the Target Processes to see if this is a Wx86 process
//
Status = NtQueryInformationProcess(hProcess,
ProcessWx86Information,
&Wx86Info,
sizeof(Wx86Info),
NULL
);
if (!NT_SUCCESS(Status)) {
leave;
}
Wx86Tib = (PWX86TIB)NtCurrentTeb()->Vdm;
//
// if Wx86 process, setup for emulation
//
if ((ULONG_PTR)Wx86Info == sizeof(WX86TIB)) {
//
// create a WX86Tib and initialize it's Teb->Vdm.
//
Status = BaseCreateWx86Tib(hProcess,
Handle,
(ULONG)((ULONG_PTR)lpStartAddress),
dwStackSize,
0L,
(Wx86Tib &&
Wx86Tib->Size == sizeof(WX86TIB) &&
Wx86Tib->EmulateInitialPc)
);
if (!NT_SUCCESS(Status)) {
leave;
}
bWx86 = TRUE;
}
else if (Wx86Tib && Wx86Tib->EmulateInitialPc) {
//
// if not Wx86 process, and caller wants to call x86 code in that
// process, fail the call.
//
Status = STATUS_ACCESS_DENIED;
leave;
}
#endif // WX86
//
// Call the Windows server to let it know about the
// process.
//
if ( !BaseRunningInServerProcess ) {
#if defined(BUILD_WOW6432)
Status = CsrBasepCreateThread(Handle,
ClientId
);
#else
a->ThreadHandle = Handle;
a->ClientId = ClientId;
CsrClientCallServer( (PCSR_API_MSG)&m,
NULL,
CSR_MAKE_API_NUMBER( BASESRV_SERVERDLL_INDEX,
BasepCreateThread
),
sizeof( *a )
);
Status = m.ReturnValue;
#endif
}
else {
if (hProcess != NtCurrentProcess()) {
CSRREMOTEPROCPROC ProcAddress;
ProcAddress = (CSRREMOTEPROCPROC)GetProcAddress(
GetModuleHandleA("csrsrv"),
"CsrCreateRemoteThread"
);
if (ProcAddress) {
Status = (ProcAddress)(Handle, &ClientId);
}
}
}
if (!NT_SUCCESS(Status)) {
Status = (NTSTATUS)STATUS_NO_MEMORY;
}
else {
if ( ARGUMENT_PRESENT(lpThreadId) ) {
*lpThreadId = HandleToUlong(ClientId.UniqueThread);
}
if (!( dwCreationFlags & CREATE_SUSPENDED) ) {
NtResumeThread(Handle,&i);
}
}
}
finally {
if (!NT_SUCCESS(Status)) {
BaseFreeThreadStack(hProcess,
Handle,
&InitialTeb
);
NtTerminateThread(Handle, Status);
NtClose(Handle);
BaseSetLastNTError(Status);
Handle = NULL;
}
}
return Handle;
}
Lactoferrin 2012-02-19
- 打赏
- 举报
RtlCreateUserThread没有做和win32子系统有关的初始化工作
Kevin_Perkins 2012-02-19
- 打赏
- 举报
在创建的远程线程中无法加载DLL到远程进程的地址空间吧?进程防注入了?
RLib 2012-02-19
- 打赏
- 举报
[Quote=引用 1 楼 kevin_perkins 的回复:]
在创建的远程线程中无法加载DLL到远程进程的地址空间吧?进程防注入了?
[/Quote]
不是
在创建的远程线程中无法加载DLL到远程进程的地址空间吧?进程防注入了?
[/Quote]
不是
Lactoferrin 2012-02-19
- 打赏
- 举报
我在用手机,晚上发上来
RLib 2012-02-19
- 打赏
- 举报
[Quote=引用 11 楼 lactoferrin 的回复:]
exe的没有,dll的有
[/Quote]
确实可以.
我找的CreateRemoteThread的代码里面没有CsrClientCallServer, 网上又搜索不到CsrClientCallServer的资料,列宁帮找找吧, 我要回校了.
exe的没有,dll的有
[/Quote]
确实可以.
我找的CreateRemoteThread的代码里面没有CsrClientCallServer, 网上又搜索不到CsrClientCallServer的资料,列宁帮找找吧, 我要回校了.
Lactoferrin 2012-02-19
- 打赏
- 举报
exe的没有,dll的有
RLib 2012-02-19
- 打赏
- 举报
[Quote=引用 9 楼 lactoferrin 的回复:]
dll真正的入口点和DllMain是一样的,这个做的比exe好
[/Quote]
指定的入口点是无参的
dll真正的入口点和DllMain是一样的,这个做的比exe好
[/Quote]
指定的入口点是无参的
Lactoferrin 2012-02-19
- 打赏
- 举报
dll真正的入口点和DllMain是一样的,这个做的比exe好
RLib 2012-02-19
- 打赏
- 举报
另外顺便问一下,指定入口点的DLL(不使用默认的DllMain)如何取得DLL_PROCESS_DETACH这类的通知?
Lactoferrin 2012-02-19
- 打赏
- 举报
我只知道winxp用的是TDI接口,后面的没验证
windows内核安全编程里面有相关资料
主要就是NtCreateFile创建socket,信息在EaBuffer里面,send,recv等就是NtDeviceIoControlFile
你可以hook这些东西来探究
windows内核安全编程里面有相关资料
主要就是NtCreateFile创建socket,信息在EaBuffer里面,send,recv等就是NtDeviceIoControlFile
你可以hook这些东西来探究
RLib 2012-02-19
- 打赏
- 举报
[Quote=引用 5 楼 lactoferrin 的回复:]
你看一下CreateRemoteThread的代码,里面有个CsrClientCallServer
或者用native api来用socket
[/Quote]
找不到native api的socket资料
你看一下CreateRemoteThread的代码,里面有个CsrClientCallServer
或者用native api来用socket
[/Quote]
找不到native api的socket资料
Lactoferrin 2012-02-19
- 打赏
- 举报
你看一下CreateRemoteThread的代码,里面有个CsrClientCallServer
或者用native api来用socket
或者用native api来用socket
RLib 2012-02-19
- 打赏
- 举报
[Quote=引用 3 楼 lactoferrin 的回复:]
RtlCreateUserThread没有做和win32子系统有关的初始化工作
[/Quote]
那么怎么做
RtlCreateUserThread没有做和win32子系统有关的初始化工作
[/Quote]
那么怎么做
