最近，我研究了dll注入技术并对其进行了测试。其中之一是通过CreateRemoteThread和NtCreateThreadEx进行的dll注入。我调查了CreateRemoteThread，并发现它在内部称为NtCreateThreadEx。问题是，CreateRemoteThread可以正常工作，但NtCreateThreadEx不能正常工作。代码如下。

struct NtCreateThreadExBuffer {
    ULONG Size;
    ULONG Unknown1;
    ULONG Unknown2;
    PULONG Unknown3;
    ULONG Unknown4;
    ULONG Unknown5;
    ULONG Unknown6;
    PULONG Unknown7;
    ULONG Unknown8;
};

typedef NTSTATUS(WINAPI *LPFUN_NtCreateThreadEx) (
    OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN LPVOID ObjectAttributes,IN HANDLE ProcessHandle,IN LPTHREAD_START_ROUTINE lpStartAddress,IN LPVOID lpParameter,IN BOOL CreateSuspended,IN ULONG StackZeroBits,IN ULONG SizeOfStackCommit,IN ULONG SizeOfStackReserve,OUT LPVOID lpBytesBuffer
    );

...
HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
HMODULE kernel32 = GetModuleHandle(L"kernel32.dll");
PTHREAD_START_ROUTINE ntCreateThreadExAddr = (PTHREAD_START_ROUTINE)GetProcAddress(ntdll,"NtCreateThreadEx");
lpfnLoadLibrary = GetProcAddress(kernel32,"LoadLibraryA");
NtCreateThreadExBuffer ntbuffer;
DWORD dwTmp1 = 0;
DWORD dwTmp2 = 0;
    
memset(&ntbuffer,sizeof(NtCreateThreadExBuffer));
if (ntCreateThreadExAddr)
{
            ntbuffer.Size = sizeof(struct NtCreateThreadExBuffer);
            ntbuffer.Unknown1 = 0x10003;
            ntbuffer.Unknown2 = 0x8;
            ntbuffer.Unknown3 = &dwTmp2;
            ntbuffer.Unknown4 = 0;
            ntbuffer.Unknown5 = 0x10004;
            ntbuffer.Unknown6 = 4;
            ntbuffer.Unknown7 = &dwTmp1;
            ntbuffer.Unknown8 = 0;

        LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx)ntCreateThreadExAddr;
    
        NTSTATUS status = 0;
        status = funNtCreateThreadEx(
                &hThread,0x1FFFFF,NULL,hCurrp,(LPTHREAD_START_ROUTINE)lpfnLoadLibrary,(LPVOID)param,FALSE,&ntbuffer
            );  
}

此代码的有趣之处在于错误代码为31，状态为-1073741819。如果有人知道这一点，请教我。预先感谢。

解决方法

暂无找到可以解决该程序问题的有效方法，小编努力寻找整理中！

如果你已经找到好的解决方法，欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@）