首页
社区
课程
招聘
未解决 [求助]内核怎么使用NtCreateThread创建一个用户层的线程
发表于: 2021-3-15 15:36 4097

未解决 [求助]内核怎么使用NtCreateThread创建一个用户层的线程

2021-3-15 15:36
4097

我调用NtCreateThread函数后, 应用层的Test程序直接崩溃消失了
有大神能帮忙改下吗, 或者发个案例, 看起来越简单越好

 

就是能像R3层那样调用0x0040101D这个地址
push 2 // 随便写一个整数
call 0x0040101D // 远程调用的地址

1
2
3
4
5
6
7
8
9
typedef struct _INITIAL_TEB {
    struct {
        PVOID OldStackBase;
        PVOID OldStackLimit;
    } OldInitialTeb;
    PVOID StackBase;
    PVOID StackLimit;
    PVOID StackAllocationBase;
} INITIAL_TEB, *PINITIAL_TEB;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
VOID RtlInitializeContext(
    IN HANDLE Process,
    OUT PCONTEXT Context,
    IN PVOID Parameter OPTIONAL,
    IN PVOID InitialPc OPTIONAL,
    IN PVOID InitialSp OPTIONAL
)
{
    Context->Rax = 0;
    Context->Rbx = 0;
    //只有一个参数,通过rcx传递
    Context->Rcx = (ULONG_PTR)Parameter;
    Context->Rdx = 0;
    Context->Rsi = 0;
    Context->Rdi = 0;
    Context->Rbp = 0;
    Context->SegGs = 0;
    Context->SegFs = 0;
    Context->SegEs = 0;
    Context->SegDs = 0;
    Context->SegSs = 0;
    Context->SegCs = 0;
    Context->EFlags = 0;
    Context->Rsp = (ULONG_PTR)InitialSp;
    Context->Rip = (ULONG_PTR)InitialPc;
    Context->ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS;
    Context->Rsp -= 0x28;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
void* Stack = NULL;
INITIAL_TEB InitialTeb = { 0 };
InitialTeb.OldInitialTeb.OldStackBase = NULL;
InitialTeb.OldInitialTeb.OldStackLimit = NULL;
InitialTeb.StackAllocationBase = Stack;
InitialTeb.StackBase = (void*)((ULONG64)Stack + 0x2000 - 0x100);
InitialTeb.StackLimit = Stack;
SIZE_T CommittedStackSize = 0x2000;
NTSTATUS retStatus = ZwAllocateVirtualMemory(hProces, (PVOID*)&Stack, 0, &CommittedStackSize, MEM_COMMIT, PAGE_READWRITE);
if (!NT_SUCCESS(retStatus)) {
    DbgPrint("创建内存失败\n");
    return status;
}
DbgPrint("Stack = %p\n", Stack);
CONTEXT context = { 0 };
RtlInitializeContext(hProces, &context, (void*)0, (void*)0x0040101D, (void*)((ULONG64)Stack - 0x100));
HANDLE hThread = NULL;
CLIENT_ID cid;
retStatus = pNtCreateThread(&hThread, THREAD_ALL_ACCESS, NULL, hProces, &cid, &context, &InitialTeb, FALSE);
if (!NT_SUCCESS(retStatus)) {
    DbgPrint("创建线程失败 = %08X\n", retStatus);
    return status;
}

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 173
活跃值: (106)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
???
2021-3-16 11:25
0
游客
登录 | 注册 方可回帖
返回
//