forked from bb107/MemoryModulePP
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy paththread.cpp
More file actions
55 lines (48 loc) · 1.56 KB
/
thread.cpp
File metadata and controls
55 lines (48 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <Windows.h>
#include <cstdio>
typedef NTSTATUS(NTAPI* PUSER_THREAD_START_ROUTINE)(_In_ PVOID ThreadParameter);
#define NtCurrentProcess() (HANDLE)-1
#ifdef _WIN64
#define NtCurrentThreadLocalStoragePointer() *(LPVOID*)(LPBYTE(NtCurrentTeb()) + 0x58)
#else
#define NtCurrentThreadLocalStoragePointer() *(LPVOID*)(LPBYTE(NtCurrentTeb()) + 0x2C)
#endif
typedef struct _CLIENT_ID {
VOID* UniqueProcess;
VOID* UniqueThread;
}CLIENT_ID, * PCLIENT_ID;
extern "C"
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserThread(
_In_ HANDLE Process,
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
_In_ BOOLEAN CreateSuspended,
_In_opt_ ULONG ZeroBits,
_In_opt_ SIZE_T MaximumStackSize,
_In_opt_ SIZE_T CommittedStackSize,
_In_ PUSER_THREAD_START_ROUTINE StartAddress,
_In_opt_ PVOID Parameter,
_Out_opt_ PHANDLE Thread,
_Out_opt_ PCLIENT_ID ClientId
);
static thread_local int x = 0xffccffdd;
NTSTATUS WINAPI Thread(PVOID) {
printf("[1] ThreadLocalStoragePointer = %p\n", NtCurrentThreadLocalStoragePointer());
return x == 0xffccffdd ? 0 : 1;
}
int thread() {
x = 2;
printf("[0] ThreadLocalStoragePointer = %p\n", NtCurrentThreadLocalStoragePointer());
HANDLE hThread;// = CreateThread(nullptr, 0, Thread, nullptr, 0, nullptr);
RtlCreateUserThread(NtCurrentProcess(), nullptr, FALSE, 0, 0, 0, Thread, nullptr, &hThread, nullptr);
DWORD ret = -1;
if (hThread) {
WaitForSingleObject(hThread, 0xffffffff);
GetExitCodeThread(hThread, &ret);
CloseHandle(hThread);
return ret;
}
return -1;
}