Results 1 to 5 of 5

Thread: native API on Windows NT4 (NtOpenThread)

  1. #1
    NicoDE
    Guest

    native API on Windows NT4 (NtOpenThread)

    I dumped and interpreted the API function OpenThread (in Win2ooo)
    to get OpenThread running on Windows NT4, ok so far so good...

    ( view results: http://www.bendlins.de/nico/stuff/openthrd.htm )

    ...but whatever I try to use as parameter for SecurityQualityOfService
    it does not work (as I expect it should ;-))

    So if somebody can help me with an good link for more informations
    or write some lines down as little explanation - every help is welcome

    Nico_

    postum scriptum: sorry for my german english
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    tsehp
    Guest
    is this parameter present in win nt4 headers ? check for winnt.h in m$ sdk.
    does this function uses win2000 specific imports ? a lot of potential problems could rise on this case.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    NicoDE
    Guest
    Thanks for answering my questing (knowing it's not a 100% reversing problem)

    The structures are really old and public through Windows NT4 DDK.
    Thou can find NtOpenThread on every 32 Bit Windows NT; but it's not documented until these days (and never will).
    Because Windows 2ooo published OpenThread it's possible to determine how NtOpenThread works by reversing the function.
    In my project I have to use NtOpenThread to fine-tune the access on threads.
    My "only" problem is; I don't know how to use SecurityQualityOfService.
    Ok i can leave it blank, but my aim is to fully _understand_ the function and all of the possible options.

    Nico_
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    DinDon
    Guest
    (knowing it's not a 100% reversing problem)
    IMHO reversing OSes (especially the closed sources ones) is far more fun than reversing protections...

    I don't know how to use SecurityQualityOfService.
    That structure is documented indeed by Microsoft. Have a look at
    http://msdn.microsoft.com/library/psdk/winbase/accclsrv_4a5u.htm
    [/quote]

    I'm afraid you did not correctly reversed the first parameter required by NtOpenThread(). In fact I found that it must be the target Process ID (or 0), and not bInheritHandle!
    In fact, if you put it to 1, the API fails on Windows NT.
    The following C snippet works on Windows NT:

    Code:
    #include <windows.h>
    #include <stdio.h>
    
    typedef __declspec(dllimport) DWORD (WINAPI *PNATIVEFUNC)(
        PHANDLE, ACCESS_MASK, PDWORD, PDWORD);
    
    void
    main(void)
    {
        PNATIVEFUNC pNtOpenThread;
        HANDLE ThreadHandle;
        DWORD status;
        DWORD ObjAttr[] = { 0x18 /*length*/, 0, 0, 0, 0, 0 };
        DWORD Params[2];
    
        Params[0] = 0;  // TargetPID;
        Params[1] = 199;  // TargetTID;
    
        pNtOpenThread =(PNATIVEFUNC)GetProcAddress(
            GetModuleHandle("ntdll"), "NtOpenThread");
        printf("%x
    ", pNtOpenThread);
    
        status = pNtOpenThread(&ThreadHandle, THREAD_ALL_ACCESS, ObjAttr, Params);
        if (status) printf("%x
    ", status);
     else {
         printf("handle %x
    ", ThreadHandle);
         while (1) Sleep(10000);  // to see the handle with HandleEx
         }
    Regards.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    NicoDE
    Guest
    Many thanks for your help!

    The last (first pushed reference) parameter is an CLIENT_ID, you are right.
    How blind a man could be Don't know why i did not found this in PSDK (less sleep ?).

    Nico_
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA/Android - App gets killed by system when debugging native code (timeout)
    By Uridium in forum Tools of Our Trade (TOT) Messageboard
    Replies: 15
    Last Post: June 4th, 2012, 14:58
  2. Product recomendation - which native exe packer?
    By _xhp_ in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: October 26th, 2011, 19:57
  3. Windows undocumented native API, interesting article updated
    By dELTA in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: November 29th, 2004, 12:02
  4. vb6 compile to native code
    By Anonymous in forum OllyDbg Support Forums
    Replies: 2
    Last Post: March 20th, 2003, 03:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •