上贴http://bbs.pediy.com/showthread.php?p=1269090
说到Win7 32位Hook NtCreateThread无效,原因是Win7下NtCreateThread不再使用(感谢上贴回复的各位)。
转而想Hook ZwCreateThread(但是这个函数和NtCreateThread服务号等)一样,无法hook
于是打起了ZwCreateThreadex的主意(NtCreateThreadZx参数更蛋疼...所以选前者)
http://bbs.pediy.com/showthread.php?t=174534 得到如下结构@cvcvxk
typedef NTSTATUS (NTAPI *_ZwCreateThreadEx)(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PTHREAD_START_ROUTINE StartRoutine,
IN PVOID StartContext,
IN ULONG CreateThreadFlags,
IN SIZE_T ZeroBits OPTIONAL,
IN SIZE_T StackSize OPTIONAL,
IN SIZE_T MaximumStackSize OPTIONAL,
IN PPROC_THREAD_ATTRIBUTE_LIST AttributeList
);
在下想在以上函数中得到线程ID号和threadContext->eax
因为我的hook函数需要上述参数(也是受NtCreateThread启发,我在xp下hook的它)
于是自作聪明的改成了如下(服务号写的0x58)
NTSTATUS
MyZwCreateThreadEx(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN PVOID ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,//StartContext
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN SIZE_T SizeOfStackCommit,
IN SIZE_T SizeOfStackReserve,
OUT PVOID lpBytesBuffer)
{
DbgPrint(("被调用1!!!!!\n"));
status = RealZwCreateThreadEx(
ThreadHandle,
DesiredAccess,
ObjectAttributes OPTIONAL,
ProcessHandle,
ClientId,
ThreadContext,//StartContext
CreateSuspended,
StackZeroBits,
SizeOfStackCommit,
SizeOfStackReserve,
lpBytesBuffer);
if (IsCurrentThreadSuspect())
{
InsertThread(ClientId->UniqueThread);
return status;
}
status1 = ZwQueryInformationProcess(ProcessHandle,ProcessBasicInformation,&pbi,sizeof(pbi),NULL);
if ((HANDLE)pbi.UniqueProcessId == PsGetCurrentProcessId())
{
PEB = (void *)pbi.PebBaseAddress;
Ldr = *( ( void ** )( ( unsigned char * )PEB+0x0c ) );
Flink = *( ( void ** )( ( unsigned char * )Ldr+ 0x14 ) );
p = Flink;
do
{
BaseAddress = *( ( void ** )( ( unsigned char * )p+ 0x10 ) );
FullDllName = *( ( void ** )( ( unsigned char * )p+ 0x20 ) );
SizeOfImage = *( ( void ** )( ( unsigned char * )p+ 0x18 ) );
if (ThreadContext->Eax >= (DWORD)BaseAddress &&
ThreadContext->Eax < (DWORD)BaseAddress+(DWORD)SizeOfImage)
{
//一些操作
break;
}
p = *( ( void ** )p);
}
while ( Flink != p );
}
问题来了,这样做后,hook函数能够执行,但是
if (ThreadContext->Eax >= (DWORD)BaseAddress &&
ThreadContext->Eax < (DWORD)BaseAddress+
越界进而BSOD。。。
求教。。。如何Win7 32 hook 底层线程创建函数...(ZwCreateThread,NtCreateThreadEX....)
[课程]Android-CTF解题方法汇总!