关于PsCreateSystemThread函数

研究了1天这个。。。MSDN说的不是很清楚
NTSTATUS PsCreateSystemThread(
  _Out_      PHANDLE ThreadHandle,
  _In_       ULONG DesiredAccess,
  _In_opt_   POBJECT_ATTRIBUTES ObjectAttributes,
  _In_opt_   HANDLE ProcessHandle,
  _Out_opt_  PCLIENT_ID ClientId,
  _In_       PKSTART_ROUTINE StartRoutine,
  _In_opt_   PVOID StartContext
);

该函数用于创建系统线程,ProcessHandle参数接收NULL,     NtCurrentProcess() (-1)   ,或指定进程句柄 三种情况  都可以用PsTerminateSystemThread结束掉
示例:

[C++] 纯文本查看 复制代码
01 VOID MyThread(PVOID StartContext)
02 {
03     PEPROCESS pp=IoGetCurrentProcess();
04     NTSTATUS status=PsTerminateSystemThread(0);
05 //以下实际上已经不执行了
06     if(status == STATUS_INVALID_PARAMETER)
07     {
08         KdPrint(("not systemthread"));
09     }
10 }
11  
12 HANDLE OpenProcess(HANDLE  Processid)
13 {
14     NTSTATUS status;
15     PEPROCESS Process = NULL;
16     HANDLE hProcess = NULL;
17     UNICODE_STRING Unicode;
18     status = PsLookupProcessByProcessId(Processid, &Process);
19     if (NT_SUCCESS(status))//判断进程号是否存在
20     {
21         RtlInitUnicodeString(&Unicode, L"PsProcessType");
22         //得到系统导出函数的地址和用户态的GetProcessAddress雷同
23         PsProcessType = (POBJECT_TYPE*)MmGetSystemRoutineAddress(&Unicode);
24         if (PsProcessType)
25         {
26             status = ObOpenObjectByPointer(Process,0,NULL,PROCESS_ALL_ACCESS,(POBJECT_TYPE) * PsProcessType,
27                 KernelMode,&hProcess);
28             if (NT_SUCCESS(status))
29             {
30                 //减少指针计数
31                 ObfDereferenceObject(Process);
32                 return hProcess;
33             }
34         }
35         ObfDereferenceObject(Process);
36     }
37     return 0;
38 }
39  
40 HANDLE outthread1,,outthread2,outthread3,outthread4,hproc;
41  
42 PsCreateSystemThread(&outthread1,THREAD_ALL_ACCESS,NULL,NULL,NULL,MyThread,NULL);
43 PsCreateSystemThread(&outthread2,THREAD_ALL_ACCESS,NULL,NtCurrentProcess(),NULL,MyThread,NULL);
44  
45 OBJECT_ATTRIBUTES oa;
46 CLIENT_ID ci={(HANDLE)1472,0};//注意是进程ID!
47 RtlZeroMemory(&oa,sizeof(oa));
48 oa.Length=sizeof(oa);
49 ZwOpenProcess(&hproc,PROCESS_ALL_ACCESS,&oa,&ci);
50 PsCreateSystemThread(&outthread3,THREAD_ALL_ACCESS,NULL,hproc,NULL,MyThread,NULL);
51  
52 hproc=OpenProcess((HANDLE)1472);//注意是进程ID!
53 PsCreateSystemThread(&outthread4,THREAD_ALL_ACCESS,NULL,hproc,NULL,MyThread,NULL);





该函数创建的线程,其PETHRAD属性的CrossThreadFlags有PS_CROSS_THREAD_FLAGS_SYSTEM属性,不允许以挂起模式创建线程,,其他和普通的NtCreateThread差别不大!
然而在微软官方源码中,PS_CROSS_THREAD_FLAGS_SYSTEM属性即为SystemThread,尽管其所属进程可能是explorer.exe  

https://www.0xaa55.com/forum.php?mod=viewthread&tid=1376&extra=page%3D6

相关文章:

  • 2022-01-25
  • 2021-08-26
  • 2021-12-11
  • 2022-01-11
  • 2022-01-07
  • 2021-07-04
  • 2021-07-08
  • 2021-05-27
猜你喜欢
  • 2022-12-23
  • 2021-11-30
  • 2022-12-23
  • 2021-09-20
  • 2021-10-24
  • 2021-09-25
  • 2021-06-24
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode