NtCreateThread

OSR_Community_User · September 17, 2002, 10:37am

Hi,

I’m writing cross-platform DVD recording application. One target is NT
native (to backup whole partitions under blue screen). I need some very
limited API from every OS I support. One API call that is “welcomed” is
“create thread”. As I understand under NT native this call is done with
NtCreateThread. I have prototype. But one problem : prototype is missing
thread procedure address! Can anybody tell me how to create thread under
NT native environment? Thanks a lot!

Anton Kolomyeytsev

NTSYSAPI
NTSTATUS
NTAPI
NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PUSER_STACK UserStack,
IN BOOLEAN CreateSuspended
);

Dan_Partelly · September 17, 2002, 10:49am

>> thread procedure address!

IN PCONTEXT ThreadContext, >> full context set including start EIP
IN PUSER_STACK UserStack, >> the stack

This API is undocumented, and subject to change whithout any notice. Dont
use it unless
you dont have other solutions.

> under blue screen

If the system got a BSOD, consider it dead, and let it rest in peace. Dont
try to access
partitions, read or write to them, or for that matter, dont do anything.

----- Original Message -----
From: “Anton Kolomyeytsev”
To: “NT Developers Interest List”
Sent: Tuesday, September 17, 2002 5:38 PM
Subject: [ntdev] NtCreateThread

> Hi,
>
> I’m writing cross-platform DVD recording application. One target is NT
> native (to backup whole partitions under blue screen). I need some very
> limited API from every OS I support. One API call that is “welcomed” is
> “create thread”. As I understand under NT native this call is done with
> NtCreateThread. I have prototype. But one problem : prototype is missing
> thread procedure address! Can anybody tell me how to create thread under
> NT native environment? Thanks a lot!
>
> Anton Kolomyeytsev
>
> NTSYSAPI
> NTSTATUS
> NTAPI
> NtCreateThread(
> OUT PHANDLE ThreadHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes,
> IN HANDLE ProcessHandle,
> OUT PCLIENT_ID ClientId,
> IN PCONTEXT ThreadContext,
> IN PUSER_STACK UserStack,
> IN BOOLEAN CreateSuspended
> );
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · September 17, 2002, 12:04pm

Any sample how to use NtCreateThread()? The data you’ve specified is…
not enough -)

Thanks, that was different blue screen. Startup phase. When chkdsk.exe and
other native applications run.

Anton Kolomyeytsev

>> thread procedure address!

IN PCONTEXT ThreadContext, >> full context set including start EIP
IN PUSER_STACK UserStack, >> the stack

This API is undocumented, and subject to change whithout any notice. Dont
use it unless
you dont have other solutions.

>> under blue screen

If the system got a BSOD, consider it dead, and let it rest in peace. Dont
try to access
partitions, read or write to them, or for that matter, dont do anything.

----- Original Message -----
From: “Anton Kolomyeytsev”
> To: “NT Developers Interest List”
> Sent: Tuesday, September 17, 2002 5:38 PM
> Subject: [ntdev] NtCreateThread
>
>
> > Hi,
> >
> > I’m writing cross-platform DVD recording application. One target is NT
> > native (to backup whole partitions under blue screen). I need some very
> > limited API from every OS I support. One API call that is “welcomed” is
> > “create thread”. As I understand under NT native this call is done with
> > NtCreateThread. I have prototype. But one problem : prototype is missing
> > thread procedure address! Can anybody tell me how to create thread under
> > NT native environment? Thanks a lot!
> >
> > Anton Kolomyeytsev
> >
> > NTSYSAPI
> > NTSTATUS
> > NTAPI
> > NtCreateThread(
> > OUT PHANDLE ThreadHandle,
> > IN ACCESS_MASK DesiredAccess,
> > IN POBJECT_ATTRIBUTES ObjectAttributes,
> > IN HANDLE ProcessHandle,
> > OUT PCLIENT_ID ClientId,
> > IN PCONTEXT ThreadContext,
> > IN PUSER_STACK UserStack,
> > IN BOOLEAN CreateSuspended
> > );
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >

OSR_Community_User · September 17, 2002, 1:31pm

Anton,

you wrote on Tuesday, September 17, 2002, 18:05:58:

AK> Thanks, that was different blue screen. Startup phase. When chkdsk.exe and
AK> other native applications run.

The routine you are looking for is RtlCreateUserThread(), not
NtCreateThread. Found at www.reactos.org :

NTSTATUS
NTAPI
RtlCreateUserThread(
IN HANDLE ProcessHandle,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN BOOLEAN CreateSuspended,
IN LONG StackZeroBits,
IN OUT PULONG StackReserve,
IN OUT PULONG StackCommit,
IN PTHREAD_START_ROUTINE StartAddress,
IN PVOID Parameter,
IN OUT PHANDLE ThreadHandle,
IN OUT PCLIENT_ID ClientId
);

Ralf.

Dan_Partelly · September 17, 2002, 1:39pm

No I dont have any smaple, but PCONTEXT is defined and known , and it
represents
a pointer to a context structure which specify the initial values of CPU
registers for the
thread.

IIRC USER_STACK is something like:

typedef struct _USER_STACK
{
PVOID StackBase;
PVOID StackLimit;
PVOID ExpandableStackBase;
PVOID ExpanadbleStackLimit;
PVOID ExpanadableStackBottom;
} USER_STACK;

A small description from memory of how things should go (so bare with me if
I forgot something):

recomeded to set first two members to NULL,==>> dont use a fixed stack.

Reserve virtual memory for the stack (NtAllocateVirtualMemory() ).
You must then commit virtual memory using NtAllocateVirtualMemory for the
stack, then intialize the USER_STACK structure. Then using
NtProtectVirtualMemory() change protection of last stack page to
PAGE_READWRITE | PAGE_GUARD, so you can take advantage of stack expansion.

Initialize at least following in context structure:

cx.Gs = 0 , cx.Fs = 0x38 , cx.ES,DS,SS = 0x20, cx.CS = 0x1b , EFLAGS as you
see fit

EIP = your entry point , ESP = stack.ExpandableStackBase - 4

Then call NtCreateThread to create the thread.

Ciao,Dan

“Anton Kolomyeytsev” wrote in message
news:xxxxx@ntdev…
>
> Any sample how to use NtCreateThread()? The data you’ve specified is…
> not enough -)
>
> Thanks, that was different blue screen. Startup phase. When chkdsk.exe and
> other native applications run.
>
> Anton Kolomyeytsev
>
> > >> thread procedure address!
> >
> > IN PCONTEXT ThreadContext, >> full context set including start EIP
> > IN PUSER_STACK UserStack, >> the stack
> >
> > This API is undocumented, and subject to change whithout any notice.
Dont
> > use it unless
> > you dont have other solutions.
> >
> > >> under blue screen
> >
> > If the system got a BSOD, consider it dead, and let it rest in peace.
Dont
> > try to access
> > partitions, read or write to them, or for that matter, dont do anything.
> >
> >
> >
> > ----- Original Message -----
> > From: “Anton Kolomyeytsev”
> > To: “NT Developers Interest List”
> > Sent: Tuesday, September 17, 2002 5:38 PM
> > Subject: [ntdev] NtCreateThread
> >
> >
> > > Hi,
> > >
> > > I’m writing cross-platform DVD recording application. One target is NT
> > > native (to backup whole partitions under blue screen). I need some
very
> > > limited API from every OS I support. One API call that is “welcomed”
is
> > > “create thread”. As I understand under NT native this call is done
with
> > > NtCreateThread. I have prototype. But one problem : prototype is
missing
> > > thread procedure address! Can anybody tell me how to create thread
under
> > > NT native environment? Thanks a lot!
> > >
> > > Anton Kolomyeytsev
> > >
> > > NTSYSAPI
> > > NTSTATUS
> > > NTAPI
> > > NtCreateThread(
> > > OUT PHANDLE ThreadHandle,
> > > IN ACCESS_MASK DesiredAccess,
> > > IN POBJECT_ATTRIBUTES ObjectAttributes,
> > > IN HANDLE ProcessHandle,
> > > OUT PCLIENT_ID ClientId,
> > > IN PCONTEXT ThreadContext,
> > > IN PUSER_STACK UserStack,
> > > IN BOOLEAN CreateSuspended
> > > );
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
>
>

OSR_Community_User · September 17, 2002, 6:08pm

> NtCreateThread. I have prototype. But one problem : prototype is
missing

thread procedure address!

It is in Context->Eip.

Max

OSR_Community_User · September 18, 2002, 3:41am

RE: [ntdev] Re: NtCreateThread

Hello Anton,

I would suggest to go to the www.reactos.com and look how it’s done there.

In addition I have some sample sources where it’s used and will send them to you privetly.

------

Bye,

SaB

> -----Original Message-----

> From: Anton Kolomyeytsev [mailto:xxxxx@cooldev.com]

> Sent: Tuesday, September 17, 2002 6:06 PM

> To: NT Developers Interest List

> Subject: [ntdev] Re: NtCreateThread

>

> Any sample how to use NtCreateThread()? The data you’ve

> specified is…

> not enough -)

>

> Thanks, that was different blue screen. Startup phase. When

> chkdsk.exe and

> other native applications run.

>

> Anton Kolomyeytsev

>

> > >> thread procedure address!

> >

> > IN PCONTEXT ThreadContext, >> full context set

> including start EIP

> > IN PUSER_STACK UserStack, >> the stack

> >

> > This API is undocumented, and subject to change whithout

> any notice. Dont

> > use it unless

> > you dont have other solutions.

> >

> > >> under blue screen

> >

> > If the system got a BSOD, consider it dead, and let it rest

> in peace. Dont

> > try to access

> > partitions, read or write to them, or for that matter, dont

> do anything.

> >

> > ----- Original Message -----

> > From: “Anton Kolomyeytsev”

> > To: “NT Developers Interest List”

> > Sent: Tuesday, September 17, 2002 5:38 PM

> > Subject: [ntdev] NtCreateThread

> >

> > > Hi,

> > >

> > > I’m writing cross-platform DVD recording application. One

> target is NT

> > > native (to backup whole partitions under blue screen). I

> need some very

> > > limited API from every OS I support. One API call that is

> “welcomed” is

> > > “create thread”. As I understand under NT native this

> call is done with

> > > NtCreateThread. I have prototype. But one problem :

> prototype is missing

> > > thread procedure address! Can anybody tell me how to

> create thread under

> > > NT native environment? Thanks a lot!

> > >

> > > Anton Kolomyeytsev

> > >

> > > NTSYSAPI

> > > NTSTATUS

> > > NTAPI

> > > NtCreateThread(

> > > OUT PHANDLE ThreadHandle,

> > > IN ACCESS_MASK DesiredAccess,

> > > IN POBJECT_ATTRIBUTES ObjectAttributes,

> > > IN HANDLE ProcessHandle,

> > > OUT PCLIENT_ID ClientId,

> > > IN PCONTEXT ThreadContext,

> > > IN PUSER_STACK UserStack,

> > > IN BOOLEAN CreateSuspended

> > > );

> > >

> > > —

> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro

> > > To unsubscribe send a blank email to %%email.unsub%%

> > >

>

> —

> You are currently subscribed to ntdev as: xxxxx@mastereye.kiev.ua

> To unsubscribe send a blank email to %%email.unsub%%

>

Dan_Partelly · September 18, 2002, 7:30am

RE: [ntdev] Re: NtCreateThreadAltough ReactOS is a wondefull piece of code, I would not look inside it for NT internals too much and take those blindly as an answer. Altough since they are aiming compatibility at API level, I guess this API works as expected.
wrote in message news:xxxxx@ntdev…
Hello Anton,

I would suggest to go to the www.reactos.com and look how it’s done there.
In addition I have some sample sources where it’s used and will send them to you privetly.