Hi,
I need a help with RtlCreateUserThread function.
The program that i reverse, uses this function for starting new thread. As I understand, the program WriteMemory to memory space of another process first and then passes the handler of this process to RtlCreateUserThread.
The question is how i can continue following after the program flow in the created thread?

Thanks in advance.

search the forum for my posts..you fail at that area..but i am kind..

bp on LdrpCallInitRoutine..in the injected process the thread is running it before the thread is injected..

method 2
bp on the just after VirtualAllocEx get the address of the memory to be written to and bp in the on that area in the 'injected process'..

BanMe

Thanks, man.
I'm new here. Didn't find it before.

that is no excuse..just know that 'others' will not be as 'nice' about it as I am..but everybody gets 1..next time I wont be so kind..if I see a lack of 'seeking' the answer yourself.

regards BanMe

wouldn't it be easier to just set a breakpoint on the start address of the new thread? (it's the 7th argument to RtlCreateUserThread)