继续Ring0注入Ring3

2010-3-16 Nie.Meining Coding

查WRK时偶然发现有个RtlCreateUserThread的函数,声明如下:

NTSTATUS RtlCreateUserThread(

    IN HANDLE Process,

    IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,

    IN BOOLEAN CreateSuspended,

    IN ULONG ZeroBits OPTIONAL,

    IN SIZE_T MaximumStackSize OPTIONAL,

    IN SIZE_T CommittedStackSize OPTIONAL,

    IN PUSER_THREAD_START_ROUTINE StartAddress,

    IN PVOID Parameter OPTIONAL,

    OUT PHANDLE Thread OPTIONAL,

    OUT PCLIENT_ID ClientId OPTIONAL

    );

/*++

Routine Description:

This function creates a user mode thread in a user process. The caller

specifies the attributes of the new thread. A handle to the thread, along

with its Client Id are returned to the caller.

Arguments:

Process - Handle to the target process in which to create the new thread.

ThreadSecurityDescriptor - An optional pointer to the Security Descriptor

give to the new thread.

CreateSuspended - A boolean parameter that specifies whether or not the new

thread is to be created suspended or not. If TRUE, the new thread

will be created with an initial suspend count of 1. If FALSE then

the new thread will be ready to run when this call returns.

ZeroBits - This parameter is passed to the virtual memory manager

when the stack is allocated. Stacks are always allocated with the

MEM_TOP_DOWN allocation attribute.

MaximumStackSize - This is the maximum size of the stack. This size

will be rounded up to the next highest page boundary. If zero is

specified, then the default size will be 64K bytes.

CommittedStackSize - This is the initial committed size of the stack. This

size is rounded up to the next highest page boundary and then an

additional page is added for the guard page. The resulting size

will then be commited and the guard page protection initialized

for the last committed page in the stack.

StartAddress - The initial starting address of the thread.

Parameter - An optional pointer to a 32-bit pointer parameter that is

passed as a single argument to the procedure at the start address

location.

Thread - An optional pointer that, if specified, points to a variable that

will receive the handle of the new thread.

ClientId - An optional pointer that, if specified, points to a variable

that will receive the Client Id of the new thread.

--*/

相比而言,插APC什么的就太麻烦了。可惜该函数没有导出,要自己定位。

Baidu空间没有上传附件功能,测试代码懒得发了。

« 鬼影里的ZwSystemDebugControl | 驱动级键盘记录器,关键是在Ring0下取得当前窗口名»

发表评论:

Powered by emlog