我曾尝试使用NtCreateThreadEx在程序中创建线程。在32位程序上使用NtCreateThreadEx并尝试在另一个32位程序中创建一个线程时,一切正常。但是当我尝试为64位程序做同样的事情时。我收到一个错误。我使用了RtlNtStatusToDosError,我的错误代码是998 - 无法访问内存位置。
有谁知道为什么会这样?
这是我的代码:
#include <Windows.h>
#include <iostream>
using namespace std;
EXTERN_C NTSYSAPI NTSTATUS NTAPI NtCreateThreadEx(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN ULONG SizeOfStackCommit,
IN ULONG SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
);
struct NtCreateThreadExBuffer
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
EXTERN_C NTSYSAPI ULONG NTAPI RtlNtStatusToDosError(NTSTATUS);
#pragma comment(lib, "ntdll.lib")
int main()
{
NtCreateThreadExBuffer ntbuffer;
memset(&ntbuffer, 0, sizeof(NtCreateThreadExBuffer));
LARGE_INTEGER temp1;
LARGE_INTEGER temp2;
memset(&temp1, 0, sizeof(temp1));
memset(&temp2, 0, sizeof(temp2));
ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = (DWORD*)&temp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = (DWORD*)&temp1;
ntbuffer.Unknown8 = 0;
HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, 0, 12728);
const char p[] = "C:\\Users\\Arush\\Desktop\\test.dll";
LPVOID addr = VirtualAllocEx(proc, 0, sizeof(p), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(proc, addr, p, sizeof(p), nullptr);
HANDLE thread;
NTSTATUS stats = NtCreateThreadEx(&thread, GENERIC_ALL, nullptr, proc, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32.dll"), "LoadLibraryA"), addr, FALSE, 0, 0, 0, &ntbuffer);
ULONG ERR = RtlNtStatusToDosError(stats);
getchar();
return 0;
}
C ++ / Win32的