21.driverbase-多线程PsCreateSystemThread

来源：互联网发布：实时大数据平台spark 编辑：程序博客网时间：2024/05/21 11:30

NTKERNELAPINTSTATUSPsCreateSystemThread(    __out PHANDLE ThreadHandle,// 得到新创建的线程句柄    __in ULONG DesiredAccess,// 创建的权限    __in_opt POBJECT_ATTRIBUTES ObjectAttributes,// 线程属性，一般设为NULL    __in_opt  HANDLE ProcessHandle,//为NULL表示创建系统线程，为进程句柄，则新创建的线程属于这个指定的进程，    __out_opt PCLIENT_ID ClientId,    __in PKSTART_ROUTINE StartRoutine,// 新线程进行起始地址    __in_opt PVOID StartContext// 新线程接收的参数    );

如：

#pragma PAGEDCODEVOID SystemThread(IN PVOID pContext){    PEPROCESS pEProcess = IoGetCurrentProcess();    PTSTR ProcessName = (PTSTR)((ULONG)pEProcess+0x174);    KdPrint(("This SystemThread run in %s process",ProcessName));    PsTerminateSystemThread(STATUS_SUCCESS);}#pragma PAGEDCODEVOID MyProcessThread(IN PVOID pContext){    PEPROCESS pEProcess = IoGetCurrentProcess();    PTSTR ProcessName = (PTSTR)((ULONG)pEProcess+0x174);    KdPrint(("This MyProcessThread run in %s process",ProcessName));    PsTerminateSystemThread(STATUS_SUCCESS);}#pragma PAGEDCODEVOID CreateThread_Test(){    HANDLE hSystemThread,hMyThread;    NTSTATUS status = PsCreateSystemThread(&hSystemThread,0,NULL,NULL,NULL,SystemThread,NULL);    status = PsCreateSystemThread(&hMyThread,0,NULL,NtCurrentProcess(),NULL,MyProcessThread,NULL);}

记得CreateThread_Test函数不要在DriverEntry中调用，可以放在IRP_MJ_DEVICE_CONTROL中来触发（NtCurrentProcess()，DriverEntry是属于System进程调用的）

阅读全文

0 0