0
push 0 //tid
push 0 //flag
sub rsp, 20
mov r9,0 //parameter
mov rcx,0 //security attribute
mov rdx, 0 //stacksize
mov r8,threadmem //address
call kernel32.createthread

I'm calling createthread in this way.

But if I put any address in parameter, my code doesn't work. Just making my PC lag and nothing happens, seems like thread is created but my code isn't executed. However, if I don't put parameter and leave itself for 0 it works. Can anyone help me?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Mr.Kim
  • 1
  • Which operating system are you programming for? – fuz Dec 04 '18 at 14:30
  • 1
    That is not a [mcve]. In particular we don't know what your thread is doing with the parameter. – Jester Dec 04 '18 at 14:44
  • note that [`xor ecx, ecx` is better to set rcx to zero[](https://stackoverflow.com/q/33666617/995714) – phuclv Dec 04 '18 at 15:54
  • 1
    You could try making a test program in C that calls createthread, then have the C compiler output assembly code, and use that assembly code as a model for your assembly code. – rcgldr Dec 04 '18 at 21:16
  • What does the function threadmem do? – prl Dec 05 '18 at 02:16

1 Answers1

-1

You are not strictly following the x64 calling convention. Push and sub rsp may only occur in the prolog.

Windows disassembles your code and unreachable code can still hang because of it. I had to give up altogether.

Joshua
  • 40,822
  • 8
  • 72
  • 132