Results 1 to 5 of 5

Thread: ntdll.RtlCreateUserThread problem

Hybrid View

  1. #1
    vadimpo
    Guest

    ntdll.RtlCreateUserThread problem

    Hi,
    I need a help with RtlCreateUserThread function.
    The program that i reverse, uses this function for starting new thread. As I understand, the program WriteMemory to memory space of another process first and then passes the handler of this process to RtlCreateUserThread.
    The question is how i can continue following after the program flow in the created thread?

    Thanks in advance.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    search the forum for my posts..you fail at that area..but i am kind..

    bp on LdrpCallInitRoutine..in the injected process the thread is running it before the thread is injected..

    method 2
    bp on the just after VirtualAllocEx get the address of the memory to be written to and bp in the on that area in the 'injected process'..

    BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  3. #3
    vadimpo
    Guest
    Thanks, man.
    I'm new here. Didn't find it before.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    that is no excuse..just know that 'others' will not be as 'nice' about it as I am..but everybody gets 1..next time I wont be so kind..if I see a lack of 'seeking' the answer yourself.

    regards BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    wouldn't it be easier to just set a breakpoint on the start address of the new thread? (it's the 7th argument to RtlCreateUserThread)

Similar Threads

  1. RtlCreateUserThread best practices
    By capadleman in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 23rd, 2013, 11:49
  2. Cant attach blocked by RtlCreateUserThread
    By Refund in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 17th, 2009, 15:50
  3. Funny API function inside ntdll.dll
    By OHPen in forum Blogs Forum
    Replies: 11
    Last Post: October 30th, 2007, 04:59
  4. Program keeps bouncing me to ntdll.dll when run from OllyDbg
    By ljre24 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: January 2nd, 2007, 19:32
  5. ntdll problem
    By bcavlin in forum Bugs
    Replies: 2
    Last Post: October 5th, 2004, 03:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •