Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How can I call microsoft undocumented function ZwSuspendThread...

455 views
Skip to first unread message

Rajesh K Sharma

unread,
Feb 21, 2003, 2:37:33 PM2/21/03
to
Hi All,

For some reason I need to try my luck with using microsoft
undocumented functions called ZwSuspendThread or ZwTerminateProcess
inside my kernel driver; I did find the prototypes of these functions
on the internet as follows;

NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendThread( IN HANDLE ThreadHandle, OUT PULONG
PreviousSuspendCount OPTIONAL );

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS
ExitStatus );

After including these prototypes in my kernel driver if I try to build
it, I am getting a link time error " unresolved external symbol
__imp_ZwSuspendThread" etc. I did tried using them without any
prototype declaration, still getting the same error, I am wondering
anyway by which I can call these functions.

Thanks for the help -

Rajesh K Sharma
San Deigo
Websense

All messages from thread
Message 1 in thread
From: Juergen Gessner (ac...@sunbeam.zfe.siemens.de)
Subject: NTDLL documentation ?


View this article only
Newsgroups: microsoft.public.win32.programmer.kernel,
comp.os.ms-windows.programmer.nt.kernel-mode
Date: 1998/03/23

Hi,

I've have a problem concerning the NTDLL.DLL-library. Microsoft does
not
publish any documentation about this DLL. I need to know the arguments
needed for the following Kernel-functions :

NtCreateProcess
NtCreateThread
NtTerminateProcess
NtTerminateThread
NtLoadDriver
NtUnloadDriver
LdrLoadDll
LdrUnloadDll
NtShutdownSystem
NtSuspendThread
LdrShutdownProcess
LdrShutdownThread

Possibly all the functions in NTDLL.DLL

I found the use of NtCreateProcess only (as example....),
in ntddk.h (DDK header-file) :

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess {
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTE ObjectAttributes,
IN PCLIENT_ID CliendId OPTIONAL
};

Any documentation or any info about the Kernel-Function mentioned
above or
about NTDLL.DLL or NTOSKRNL.EXE would be useful (maybe).....

Please mail any useful info to my email address
(gul...@rocketmail.com)

Thanks in advance,

Theo

-----------------------------------------
Theo Guelcher

NT-developer at Siemens AG Munich Germany

email : gul...@rocketmail.com
tel. : +49 89 636 41860
fax. : +49 89 636 48000
-----------------------------------------
Message 2 in thread
From: Felix Kasza [MVP] (fel...@mvps.org)
Subject: Re: NTDLL documentation ?


View this article only
Newsgroups: microsoft.public.win32.programmer.kernel,
comp.os.ms-windows.programmer.nt.kernel-mode
Date: 1998/03/23

Juergen,

> I've have a problem concerning the NTDLL.DLL-library.

Read up on the Zw*() functions in the DDK, or check the appendices in
Rajeev Nagar's "Windows NT File System Internals".

Cheers,
Felix.

--
If you post a reply, kindly refrain from emailing it, too.
I have killfiled hotmail.com and yahoo.com. If you are legit,
come forth and be recognized -- with a *real* email address.

Message 3 in thread
From: jja...@hotmail.com (jja...@hotmail.com)
Subject: Re: NTDLL documentation ?


View this article only
Newsgroups: microsoft.public.win32.programmer.kernel,
comp.os.ms-windows.programmer.nt.kernel-mode
Date: 1998/03/23

Hi,
I have the prototypes for many of them. I have given the equivalent
Zw***
prototypes for some of the Nt**** APIs. Only difference between
these two is
Nt*** routines do some argument validation. Hope this information
would be
helpful to you.

Jaimon

> I've have a problem concerning the NTDLL.DLL-library. Microsoft does not
> publish any documentation about this DLL. I need to know the arguments
> needed for the following Kernel-functions :
>
> NtCreateProcess
NTSYSAPI NTSTATUS NTAPI ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
> NtCreateThread
NTSYSAPI NTSTATUS NTAPI ZwCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended
);
> NtTerminateProcess
NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
> NtTerminateThread
NTSYSAPI NTSTATUS NTAPI ZwTerminateThread(
IN HANDLE ThreadHandle OPTIONAL,
IN NTSTATUS ExitStatus
);

> NtLoadDriver
NTSYSAPI NTSTATUS NTAPI NtLoadDriver(
IN PUNICODE_STRING DriverServiceName
Read the rest of this message... (38 more lines)

Message 4 in thread
From: Michael Kolfman (mic...@multexsys.com)
Subject: Re: NTDLL documentation ?


View this article only
Newsgroups: microsoft.public.win32.programmer.kernel
Date: 1998/03/24


Juergen,

>I've have a problem concerning the NTDLL.DLL-library. Microsoft does
not
>publish any documentation about this DLL.


Go to the new page on ntinternals:
http://www.ntinternals.com/ntdll.htm

Regards,
Mike
Message 5 in thread
From: Juergen Gessner (ac...@sunbeam.zfe.siemens.de)
Subject: NTDLL documentation ?


View this article only
Newsgroups: microsoft.public.win32.programmer.kernel,
comp.os.ms-windows.programmer.nt.kernel-mode
Date: 1998/03/23

Hi,

I've have a problem concerning the NTDLL.DLL-library. I need to know
the
arguments needed for the following Kernel-functions :

NtCreateProcess
NtCreateThread
NtTerminateProcess
NtTerminateThread
NtLoadDriver
NtUnloadDriver
LdrLoadDll
LdrUnloadDll
NtShutdownSystem
NtSuspendThread
LdrShutdownProcess
LdrShutdownThread

Possibly all the functions in NTDLL.DLL

I found the use of NtCreateProcess only (as example....),
in ntddk.h (DDK header-file) :

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess {
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTE ObjectAttributes,
IN PCLIENT_ID CliendId OPTIONAL
};

Any documentation or any info about the Kernel-Function mentioned
above or
about NTDLL.DLL or NTOSKRNL.EXE would be useful (maybe).....

Thanks in advance,

Theo

-----------------------------------------
Theo Guelcher

NT-developer at Siemens AG Munich Germany

email : gul...@rocketmail.com
tel. : +49 89 636 41860
fax. : +49 89 636 48000
-----------------------------------------


©2003 Google

Don Burn

unread,
Feb 21, 2003, 2:53:43 PM2/21/03
to
ZwSuspendThread is not exported by the kernel. You can only
call it by going through the trap table, this is not recomended. Why
do you wish to suspend the thread in the first place? There may
be a kernel approach that can work if we can get some insight in
what you need to do.

Don Burn
Windows 2k/XP/2k3 Filesystem and Driver Consulting

"Rajesh K Sharma" <rsh...@websense.com> wrote in message
news:d1b925e1.03022...@posting.google.com...

Rajesh K Sharma

unread,
Feb 21, 2003, 7:50:53 PM2/21/03
to
Thanks for the reply Don,

The problem I am trying to solve is prevent an application to run but
not at the file system filter driver level, After reaseaching through
all the possible ways I can possibly do it (problems steming from not
being able to get the name of the exectables from the section object
handles and stuff; if I hook into NtCreateProcess or NtCreateSection)
I have settle down on an approach using PsCreateThreadNotifyRoution
and PsCreateProcessNotifyRoutines.

With the help of some good ideas on the internet from very smart
people I have a following approach using two above key APIs; ; after
create_thread_notify_routine is called by the process which has been
created I try to change it's startaddress using NtSetInformationThread
(and undocumented class ThreadQuerySetWin32StartAddress) to my
function inside the kernel driver who can call NtExitProcess or
NtTerminateProcess or NtSuspendThread (whoseoever prototype I am able
to discover). The reason I am doing it like that is if I try to kill
the application from the user mode by TerminateProcess while waiting
inside the create_process_notify_routine is causing a deadlock; hence
I have the option of saving the process id of the newly created
process inside the create_process_notify_routine and then letting the
usermode decide by giving IOCTL to the kernel driver about the if the
process should be terminated; and when create_thread_notify_routine is
called, i will verify it with saved process id and then change it
startaddress to my function inside the kernel driver calling
NtExitProcess or NtTerminateProcess to terminate gracefully;

I over here have two issues:

1) In my notify routine pasted below the highlighted line is returning
0x800000002, which mean not aligned boundary; Which I am still
struggling to get it to work.
2) Inablity to get the correct prototypes for NtTerminateProcess or
NtExitProcess or NtSuspendThread; using any one of which I can have my
problem solved.

Can you please help, if I am doing anything wrong or do you have any
other better ways to get around my problem?

Help is really appreciated.

- Rajesh K Sharma
San Diego
Websense

VOID
create_thread_notify_routine (
IN HANDLE ProcessId,
IN HANDLE ThreadId,
IN BOOLEAN Create
)
{
PDEVICE_EXTENSION extension;

DbgPrint("create_thread_notify_routine : ProcessId = %d ThreadId = %d
Create = %d\r\n",
ProcessId, ThreadId, Create);

if (Create == FALSE)
return;

extension = g_pDeviceObject->DeviceExtension;
if (extension->b_start_filtering)
{
if (extension->pol_info.h_block_proc_id)
{
ZwSetInformationThread (ThreadId, ThreadQuerySetWin32StartAddress,
extension->pfn_exit_proc, sizeof (PEXIT_PROCESS));
memset (&extension->pol_info, 0, sizeof (POLICY_INFO));
}
}
}


"Don Burn" <bu...@acm.org> wrote in message news:<v5d0vrd...@corp.supernews.com>...

"Don Burn" <bu...@acm.org> wrote in message news:<v5d0vrd...@corp.supernews.com>...

Maxim S. Shatskih

unread,
Feb 21, 2003, 7:31:43 PM2/21/03
to
> For some reason I need to try my luck with using microsoft
> undocumented functions called ZwSuspendThread or ZwTerminateProcess

Please be careful with these routines, since abusing them (calling
them for a thread which holds some lock) can cause a deadlock.
For instance, Sun have removed this facility from Java due to this
reason.

Max


Don Burn

unread,
Feb 22, 2003, 9:13:38 AM2/22/03
to
You have a number of challenges here:

1. You are using the application name to decide if you allow it
to run. You should realize that this is not a lot of
protection
since someone can easily rename or copy the file.

2. As far as your actual problem is concerned, I have done
something
similar, but instead of trying to stop the process or the
thread, an
easier way is to take advantage of the common startup sequence
of
Win32 processes and deny access to the executable you do not
wish
to run.


Don Burn
Windows 2k/XP/2k3 Filesystem and Driver Consulting


"Rajesh K Sharma" <rsh...@websense.com> wrote in message
news:d1b925e1.03022...@posting.google.com...

Rajesh K Sharma

unread,
Feb 22, 2003, 10:47:11 PM2/22/03
to
Thanks a lot for your replies, I have got it figured out what approach
I should take; I am hooking the system service table and have learned
a very simple way how can I get the name of the exe. (Note for Don
Burn: we already take care of the issue of application of policies not
being based upon file name, but we need the name of the file as an
argument to generate information for policy). You guys are great. Have
a nice weekend.

- Rajesh K Sharma
Websense
San Diego

"Maxim S. Shatskih" <ma...@storagecraft.com> wrote in message news:<b36kp6$1v4v$9...@gavrilo.mtu.ru>...

0 new messages