zoukankan      html  css  js  c++  java

  • 关于PsCreateSystemThread函数

    研究了1天这个。。。MSDN说的不是很清楚
    NTSTATUS PsCreateSystemThread(
      _Out_      PHANDLE ThreadHandle,
      _In_       ULONG DesiredAccess,
      _In_opt_   POBJECT_ATTRIBUTES ObjectAttributes,
      _In_opt_   HANDLE ProcessHandle,
      _Out_opt_  PCLIENT_ID ClientId,
      _In_       PKSTART_ROUTINE StartRoutine,
      _In_opt_   PVOID StartContext
    );

    该函数用于创建系统线程,ProcessHandle参数接收NULL,     NtCurrentProcess() (-1)   ,或指定进程句柄 三种情况  都可以用PsTerminateSystemThread结束掉
    示例:

    [C++] 纯文本查看 复制代码
    01 VOID MyThread(PVOID StartContext)
    02 {
    03     PEPROCESS pp=IoGetCurrentProcess();
    04     NTSTATUS status=PsTerminateSystemThread(0);
    05 //以下实际上已经不执行了
    06     if(status == STATUS_INVALID_PARAMETER)
    07     {
    08         KdPrint(("not systemthread"));
    09     }
    10 }
    11  
    12 HANDLE OpenProcess(HANDLE  Processid)
    13 {
    14     NTSTATUS status;
    15     PEPROCESS Process = NULL;
    16     HANDLE hProcess = NULL;
    17     UNICODE_STRING Unicode;
    18     status = PsLookupProcessByProcessId(Processid, &Process);
    19     if (NT_SUCCESS(status))//判断进程号是否存在
    20     {
    21         RtlInitUnicodeString(&Unicode, L"PsProcessType");
    22         //得到系统导出函数的地址和用户态的GetProcessAddress雷同
    23         PsProcessType = (POBJECT_TYPE*)MmGetSystemRoutineAddress(&Unicode);
    24         if (PsProcessType)
    25         {
    26             status = ObOpenObjectByPointer(Process,0,NULL,PROCESS_ALL_ACCESS,(POBJECT_TYPE) * PsProcessType,
    27                 KernelMode,&hProcess);
    28             if (NT_SUCCESS(status))
    29             {
    30                 //减少指针计数
    31                 ObfDereferenceObject(Process);
    32                 return hProcess;
    33             }
    34         }
    35         ObfDereferenceObject(Process);
    36     }
    37     return 0;
    38 }
    39  
    40 HANDLE outthread1,,outthread2,outthread3,outthread4,hproc;
    41  
    42 PsCreateSystemThread(&outthread1,THREAD_ALL_ACCESS,NULL,NULL,NULL,MyThread,NULL);
    43 PsCreateSystemThread(&outthread2,THREAD_ALL_ACCESS,NULL,NtCurrentProcess(),NULL,MyThread,NULL);
    44  
    45 OBJECT_ATTRIBUTES oa;
    46 CLIENT_ID ci={(HANDLE)1472,0};//注意是进程ID!
    47 RtlZeroMemory(&oa,sizeof(oa));
    48 oa.Length=sizeof(oa);
    49 ZwOpenProcess(&hproc,PROCESS_ALL_ACCESS,&oa,&ci);
    50 PsCreateSystemThread(&outthread3,THREAD_ALL_ACCESS,NULL,hproc,NULL,MyThread,NULL);
    51  
    52 hproc=OpenProcess((HANDLE)1472);//注意是进程ID!
    53 PsCreateSystemThread(&outthread4,THREAD_ALL_ACCESS,NULL,hproc,NULL,MyThread,NULL);





    该函数创建的线程,其PETHRAD属性的CrossThreadFlags有PS_CROSS_THREAD_FLAGS_SYSTEM属性,不允许以挂起模式创建线程,,其他和普通的NtCreateThread差别不大!
    然而在微软官方源码中,PS_CROSS_THREAD_FLAGS_SYSTEM属性即为SystemThread,尽管其所属进程可能是explorer.exe  

    https://www.0xaa55.com/forum.php?mod=viewthread&tid=1376&extra=page%3D6
  • 相关阅读:
    MongoDB初探-基本语句和数据结构
    Restful API学习Day5
    Restful API学习Day4
    毕业设计记录1
    解决python爬虫requests.exceptions.SSLError: HTTPSConnectionPool(host='XXX', port=443)问题
    java调用python代码
    mysql使用唯一索引避免插入重复数据
    阅读笔记16
    阅读笔记15
    阅读笔记14
  • 原文地址:https://www.cnblogs.com/findumars/p/5557152.html
Copyright © 2011-2022 走看看