NtCreateThread - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
//
// Threads
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
/**
* Creates a new thread in the specified process.
*
* \param ThreadHandle A pointer to a handle that receives the thread object handle.
* \param DesiredAccess The access rights desired for the thread object.
* \param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread.
* \param ProcessHandle A handle to the process in which the thread is to be created.
* \param ClientId A pointer to a CLIENT_ID structure that receives the client ID of the new thread.
* \param ThreadContext A pointer to a CONTEXT structure that specifies the initial context of the new thread.
* \param InitialTeb A pointer to an INITIAL_TEB structure that specifies the initial stack limits of the new thread.
* \param CreateSuspended If TRUE, the thread is created in a suspended state.
* \return NTSTATUS Successful or errant status.
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB InitialTeb,
_In_ BOOLEAN CreateSuspended
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB InitialTeb,
_In_ BOOLEAN CreateSuspended
);
View code on GitHubCreates a new thread in the specified process. This is a legacy function that requires manually allocating stack and preparing thread context.
ThreadHandle - a pointer to a variable that receives a handle to the new thread.DesiredAccess - the thread access mask to provide on the returned handle. This value is usually THREAD_ALL_ACCESS.ObjectAttributes - an optional pointer to an OBJECT_ATTRIBUTES structure that specifies attributes for the new object/handle, such as the security descriptor and handle inheritance.ProcessHandle - a handle to the process where the thread should be created. This can either be the NtCurrentProcess pseudo-handle or a handle with PROCESS_CREATE_THREAD access.ClientId - a pointer to a variable that receives the client ID of the new thread.ThreadContext - the initial context (a set of registers) for the thread.InitialTeb - the structure describing the thread stack.CreateSuspended - whether the new thread should be created in a suspended state or allowed to run immediately. When specifying TRUE, you can use NtResumeThread to resume the thread later.For the modern equivalent, see NtCreateThreadEx.
To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.
This functionality is not exposed in Win32 API. The closest alternative that uses the modern syscall is CreateRemoteThreadEx.
Caller supplied storage for the resulting handle.
Specifies the allowed or desired access to the thread.
Initialized attributes for the object.
Handle to the threads parent process.
Caller supplies storage for returned process id and thread id.
Initial processor context for the thread.
Initial user mode stack context for the thread.
Specifies if the thread is ready for scheduling. See NtContinue for more information.