21.driverbase-多线程PsCreateSystemThread

NTKERNELAPI
NTSTATUS
PsCreateSystemThread(
__out PHANDLE ThreadHandle,// 得到新创建的线程句柄
__in ULONG DesiredAccess,// 创建的权限
__in_opt POBJECT_ATTRIBUTES ObjectAttributes,// 线程属性，一般设为NULL
__in_opt  HANDLE ProcessHandle,//为NULL表示创建系统线程，为进程句柄，则新创建的线程属于这个指定的进程，
__out_opt PCLIENT_ID ClientId,
__in PKSTART_ROUTINE StartRoutine,// 新线程进行起始地址
__in_opt PVOID StartContext// 新线程接收的参数
);

如：

#pragma PAGEDCODE
VOID SystemThread(IN PVOID pContext)
{
PEPROCESS pEProcess = IoGetCurrentProcess();
PTSTR ProcessName = (PTSTR)((ULONG)pEProcess+0x174);
KdPrint(("This SystemThread run in %s process",ProcessName));
PsTerminateSystemThread(STATUS_SUCCESS);
}

#pragma PAGEDCODE
VOID MyProcessThread(IN PVOID pContext)
{
PEPROCESS pEProcess = IoGetCurrentProcess();
PTSTR ProcessName = (PTSTR)((ULONG)pEProcess+0x174);
KdPrint(("This MyProcessThread run in %s process",ProcessName));
PsTerminateSystemThread(STATUS_SUCCESS);
}

#pragma PAGEDCODE
VOID CreateThread_Test()
{
HANDLE hSystemThread,hMyThread;
NTSTATUS status = PsCreateSystemThread(&hSystemThread,0,NULL,NULL,NULL,SystemThread,NULL);
status = PsCreateSystemThread(&hMyThread,0,NULL,NtCurrentProcess(),NULL,MyProcessThread,NULL);
}

记得CreateThread_Test函数不要在DriverEntry中调用，可以放在IRP_MJ_DEVICE_CONTROL中来触发（NtCurrentProcess()，DriverEntry是属于System进程调用的）