-
-
[求助]NtCreateThread 返回错误代码ffffffff80000002
-
发表于:
2019-7-8 09:57
2581
-
[求助]NtCreateThread 返回错误代码ffffffff80000002
在2003系统上测试注入进程后使用CreateThread执行shellcode,但是执行CreateThread时调用了ntdll!NtCreateThread并返回错误,
NtCreateThread里面使用了0x4B的系统调用,似乎无法跟入调试,最后只有一个ffffffff80000002的返回值。调试输出如下:
kernel32!CreateRemoteThread+0x1d4:
0033:00000000`77d6b4b3 ff151f64fdff call qword ptr [kernel32!_imp_NtCreateThread (00000000`77d418d8)]
kd> t
ntdll!NtCreateThread:
0033:00000000`77ef0ec0 4c8bd1 mov r10,rcx
kd> r
rax=0000000000e0eda0 rbx=0000000000000000 rcx=0000000000e0ed40
rdx=00000000001f03ff rsi=ffffffffffffffff rdi=0000000000000000
rip=0000000077ef0ec0 rsp=0000000000e0ecf0 rbp=0000000000000000
r8=0000000000000000 r9=ffffffffffffffff r10=0000000000000000
r11=0000000000000202 r12=0000000000000000 r13=0000000000e2001d
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtCreateThread:
0033:00000000`77ef0ec0 4c8bd1 mov r10,rcx
kd> p
ntdll!NtCreateThread+0x3:
0033:00000000`77ef0ec3 b84b000000 mov eax,4Bh
kd> p
ntdll!NtCreateThread+0x8:
0033:00000000`77ef0ec8 0f05 syscall
kd> r
rax=000000000000004b rbx=0000000000000000 rcx=0000000000e0ed40
rdx=00000000001f03ff rsi=ffffffffffffffff rdi=0000000000000000
rip=0000000077ef0ec8 rsp=0000000000e0ecf0 rbp=0000000000000000
r8=0000000000000000 r9=ffffffffffffffff r10=0000000000e0ed40
r11=0000000000000202 r12=0000000000000000 r13=0000000000e2001d
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtCreateThread+0x8:
0033:00000000`77ef0ec8 0f05 syscall
kd> t
ntdll!NtCreateThread+0xa:
0033:00000000`77ef0eca c3 ret
kd> r
rax=ffffffff80000002 rbx=0000000000000000 rcx=0000000077ef0eca
rdx=0000000000000000 rsi=ffffffffffffffff rdi=0000000000000000
rip=0000000077ef0eca rsp=0000000000e0ecf0 rbp=0000000000000000
r8=0000000000e0ecf0 r9=0000000000000000 r10=0000000000000000
r11=0000000000000346 r12=0000000000000000 r13=0000000000e2001d
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
求助这个错误代码号是什么意思,有没有办法跟入syscall指令进行调试?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
