native API on Windows NT4 (NtOpenThread) [Archive]

View Full Version : native API on Windows NT4 (NtOpenThread)

NicoDE

December 12th, 2000, 08:09

I dumped and interpreted the API function OpenThread (in Win2ooo)
to get OpenThread running on Windows NT4, ok so far so good...

( view results: http://www.bendlins.de/nico/stuff/openthrd.htm )

...but whatever I try to use as parameter for SecurityQualityOfService
it does not work (as I expect it should ;-))

So if somebody can help me with an good link for more informations
or write some lines down as little explanation - every help is welcome

Nico_

postum scriptum: sorry for my german english

tsehp

December 13th, 2000, 02:46

is this parameter present in win nt4 headers ? check for winnt.h in m$ sdk.
does this function uses win2000 specific imports ? a lot of potential problems could rise on this case.

NicoDE

December 13th, 2000, 07:24

Thanks for answering my questing (knowing it's not a 100% reversing problem)

The structures are really old and public through Windows NT4 DDK.
Thou can find NtOpenThread on every 32 Bit Windows NT; but it's not documented until these days (and never will).
Because Windows 2ooo published OpenThread it's possible to determine how NtOpenThread works by reversing the function.
In my project I have to use NtOpenThread to fine-tune the access on threads.
My "only" problem is; I don't know how to use SecurityQualityOfService.
Ok i can leave it blank, but my aim is to fully _understand_ the function and all of the possible options.

Nico_

DinDon

December 13th, 2000, 08:30

(knowing it's not a 100% reversing problem)
IMHO reversing OSes (especially the closed sources ones) is far more fun than reversing protections...

I don't know how to use SecurityQualityOfService.

That structure is documented indeed by Microsoft. Have a look at
http://msdn.microsoft.com/library/psdk/winbase/accclsrv_4a5u.htm
[/QUOTE]

I'm afraid you did not correctly reversed the first parameter required by NtOpenThread(). In fact I found that it must be the target Process ID (or 0), and not bInheritHandle!
In fact, if you put it to 1, the API fails on Windows NT.
The following C snippet works on Windows NT:

Code:



#include <windows.h>

#include <stdio.h>



typedef __declspec(dllimport) DWORD (WINAPI *PNATIVEFUNC)(

    PHANDLE, ACCESS_MASK, PDWORD, PDWORD);



void

main(void)

{

    PNATIVEFUNC pNtOpenThread;

    HANDLE ThreadHandle;

    DWORD status;

    DWORD ObjAttr[] = { 0x18 /*length*/, 0, 0, 0, 0, 0 };

    DWORD Params[2];



    Params[0] = 0;  // TargetPID;

    Params[1] = 199;  // TargetTID;



    pNtOpenThread =(PNATIVEFUNC)GetProcAddress(

        GetModuleHandle("ntdll", "NtOpenThread";

    printf("%x

", pNtOpenThread);



    status = pNtOpenThread(&ThreadHandle, THREAD_ALL_ACCESS, ObjAttr, Params);

    if (status) printf("%x

", status);

 else {

     printf("handle %x

", ThreadHandle);

     while (1) Sleep(10000);  // to see the handle with HandleEx

     }

Regards.

NicoDE

December 13th, 2000, 13:49

Many thanks for your help!

The last (first pushed reference) parameter is an CLIENT_ID, you are right.
How blind a man could be

Don't know why i did not found this in PSDK (less sleep ?).

Nico_