Win32 Kernel32.CreateThread from assembler

Question

Hi to all....

////////////////////////////////////////////

PUSH 214D84DD // thread id address out
PUSH 0  
PUSH 0
PUSH 214D84CD // my function address to run in the thread
PUSH 0
PUSH 0
CALL DWORD PTR DS:[4EBD1204]  // KERNEL32.CreateThread


waiting_label:
NOP
JMP waiting_label

////////////////////////////////////////////

I have put a breakpoint on my function (214D84CD), but after the CreateThread, in the "waiting loop" my function is not invoked. Otherwise, if I call after CreateThread my application (and not the waiting loop) with many others threads, my function is invoked.

Why? There is some "DoEvents" api to force in my loop to call my thread function?

The thread id (214D84DD) and the return value EAX are not null. I'm run my application in a debugger (OllyDbg). And I'm not using any compiler.

Many thanks, Riccardo

Answer 1

HANDLE WINAPI CreateThread(
  __in_opt   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in       SIZE_T dwStackSize,
  __in       LPTHREAD_START_ROUTINE lpStartAddress,
  __in_opt   LPVOID lpParameter,
  __in       DWORD dwCreationFlags,
  __out_opt  LPDWORD lpThreadId
);

you are passing them wrong. Since in stdcall, you have to push the argument in a reverse order, lpThreadId should be pushed first. Thus 214D84CD and 214D84DD should be flipped.

Answer 2

You have to manually switch to the newly created thread via the 'threads' window.

Answer 3

Is because the CreateThread is in the initialization routine of a DLL.... :(

"During process startup and DLL initialization routines, new threads can be created, but they do not begin execution until DLL initialization is done for the process."

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453%28v=vs.85%29.aspx