在Window 7 x64中询问NtCreateThreadEx！ [英] Ask about NtCreateThreadEx in Window 7 x64!

问题描述

I am used to NtCreateThreadEx in window 7 x32 and it work done.
But in in window 7 x64 i couldn't. It failed with error: 0xC0000005 Access Violation.

It may be fail at struct NtCreateTheadExBuffer, but i can't got it.

Please, help me.

My source bellow:

typedef struct
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
} NtCreateTheadExBuffer;

typedef DWORD WINAPI NtCreateThreadExProc(PHANDLE, ACCESS_MASK, LPVOID, HANDLE, LPTHREAD_START_ROUTINE, LPVOID, BOOL, DWORD, DWORD, DWORD, LPVOID);

HANDLE NtCreateThreadEx(HANDLE hProcess, LPVOID lpRemoteThreadStart, LPVOID lpRemoteCallback)
{
HANDLE hRemoteThread = NULL;

ULONG dw0 = 0, dw1 = 0;
NtCreateTheadExBuffer Buffer;
memset(&Buffer, 0, sizeof(NtCreateTheadExBuffer));

Buffer.Size = sizeof(NtCreateTheadExBuffer);
Buffer.Unknown1 = 0x10006;
Buffer.Unknown2 = 0x16;
Buffer.Unknown3 = &dw1;
Buffer.Unknown4 = 0;
Buffer.Unknown5 = 0x10008;
Buffer.Unknown6 = 8;
Buffer.Unknown7 = &dw0;
Buffer.Unknown8 = 0;

NtCreateThreadExProc *NtCreateThreadX =
(NtCreateThreadExProc*)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");

if(NtCreateThreadX == NULL)
return NULL;

DWORD dw = 0;
if(!SUCCEEDED(dw = NtCreateThreadX(
&hRemoteThread, //THREAD_ALL_ACCESS, // STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
0x1FFFFF, // All access
NULL,
hProcess,
(LPTHREAD_START_ROUTINE)lpRemoteThreadStart,
lpRemoteCallback,
FALSE,
NULL,
NULL,
NULL, //NULL
&Buffer
)))
{
return NULL;
}

return hRemoteThread;
}

推荐答案

声音很愚蠢，但是你想要跨越32位/ 64位边界吗？如果您尝试将32位进程中的线程注入64位进程，则会失败。如果是这种情况，你需要编译为64位，并且一切都可以。

Sound's silly, but are you trying to cross the 32-bit/64-bit boundary? If you are trying to inject a thread from a 32-bit process into a 64-bit process this will fail. You'll need to compile as 64-bit if that is the case and all will work.

这篇关于在Window 7 x64中询问NtCreateThreadEx！的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！