BanMe
July 18th, 2009, 21:21
this code is in BaseThreadStart on XP:
checks FiberData for 1e00 ?
and checks if ServerProcess..if conditions are met then call to CsrNewThread occurs and Csrss is registered as the Threads Termination Port..ifnot them it just calls Thread EntryPoint..
if this code if executed in the context of the thread before the "checks" occur we can register our own termination port
small demo 'might' come.. not to interesting though.
regards BanMe
Code:
MOV EAX,DWORD PTR FS:[18]
MOV DWORD PTR SS:[EBP-20],EAX
CMP DWORD PTR DS:[EAX+10],1E00
JNZ SHORT kernel32.7C80B693
...call to CsrNewThread()
PUSH DWORD PTR SS:[EBP+C]
CALL DWORD PTR SS:[EBP+8]
PUSH EAX
CALL kernel32.ExitThread
checks FiberData for 1e00 ?
and checks if ServerProcess..if conditions are met then call to CsrNewThread occurs and Csrss is registered as the Threads Termination Port..ifnot them it just calls Thread EntryPoint..
if this code if executed in the context of the thread before the "checks" occur we can register our own termination port
Code:
xor eax,eax
add eax,0x18
mov eax,fs:[eax]
mov [eax+0x10],1E00
small demo 'might' come.. not to interesting though.
regards BanMe