none
How create a thread using ZwCreateThreadEx correctly and wait for your finalization? RRS feed

  • Question

  • I mounted this code below where i try create a thread using ZwCreateThreadEx function and want know how make this correctly and wait for your finalization?

    #include <ntddk.h> #include <WinDef.h> NTSTATUS NTAPI ZwCreateThreadEx(OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN LPVOID lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN ULONG StackZeroBits, IN ULONG SizeOfStackCommit, IN ULONG SizeOfStackReserve, OUT LPVOID lpBytesBuffer); typedef DWORD(__stdcall *LPTHREAD_START_ROUTINE) ( [in] LPVOID lpThreadParameter ); #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 typedef struct ARGS { HANDLE h; UNICODE_STRING str; }ARGS; void WINAPI ContinueExecution(LPVOID param) { ARGS *pArgs = (ARGS*)param; DbgPrint("Thread: %d | %wZ \n", pArgs->h, &pArgs->str); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { HANDLE hThread = 0;

    ARGS args; args.h = 123; args.str = any UNICODE_STRING value; NTSTATUS ntStat = ZwCreateThreadEx(&hThread, THREAD_ALL_ACCESS, 0, ZwCurrentProcess(), (LPTHREAD_START_ROUTINE)ContinueExecution, &args, THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, 0, 0, 0, 0); if (ntStat >= 0) { KeWaitForSingleObject(hThread, INFINITE); ZwClose(hThread); } else { DbgPrint("ZwCreateThreadEx failed!"); } return STATUS_SUCCESS; }




    • Edited by FLASHCODER Sunday, April 22, 2018 2:08 PM
    Sunday, April 22, 2018 2:06 PM

Answers

  • Well the obvious problem here is the code KeWaitForSingleObject(hThread, INFINITE) for two major reasons:

    1. KeWaitForSingleObject takes an object pointer not an object handle
    2. Waiting on a thread object returns when the thread has terminated.

    Normally, people issue the ZwCreateThreadEx call and just expect it to work (assuming the status returned is good).   Typically you create the thread then have other synchronization objects if needed to indicate the thread is ready to do work for you.



    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Sunday, April 22, 2018 5:59 PM
    Sunday, April 22, 2018 2:57 PM
  • Nope, INFINITE should be NULL.   The second parameter to KeWaitForSingleObject is a pointer to a LARGE_INTEGER.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Sunday, April 22, 2018 5:59 PM
    Sunday, April 22, 2018 4:49 PM

All replies

  • Well the obvious problem here is the code KeWaitForSingleObject(hThread, INFINITE) for two major reasons:

    1. KeWaitForSingleObject takes an object pointer not an object handle
    2. Waiting on a thread object returns when the thread has terminated.

    Normally, people issue the ZwCreateThreadEx call and just expect it to work (assuming the status returned is good).   Typically you create the thread then have other synchronization objects if needed to indicate the thread is ready to do work for you.



    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Sunday, April 22, 2018 5:59 PM
    Sunday, April 22, 2018 2:57 PM
  • Well the obvious problem here is the code KeWaitForSingleObject(hThread, INFINITE) for two major reasons:

    1. KeWaitForSingleObject takes an object pointer not an object handle
    2. Waiting on a thread object returns when the thread has terminated.

    Normally, people issue the ZwCreateThreadEx call and just expect it to work (assuming the status returned is good).   Typically you create the thread then have other synchronization objects if needed to indicate the thread is ready to do work for you.



    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    OK, and the last parameter, the correct is insert a value equivalent to INFINITE?
    Sunday, April 22, 2018 4:24 PM
  • Nope, INFINITE should be NULL.   The second parameter to KeWaitForSingleObject is a pointer to a LARGE_INTEGER.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Sunday, April 22, 2018 5:59 PM
    Sunday, April 22, 2018 4:49 PM