ZwQueryInformationThread(ThreadLastSystemCall)

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //You can use this method to retrieve the last system call issued by a specific thread.
4. #include "stdafx.h"
5. #include "windows.h"
6. #include "stdio.h"
7.  
8. #define ThreadLastSystemCall            0x15
9.  
10. extern "C"
11. {
12. int __stdcall ZwSetInformationThread(HANDLE,unsigned long,unsigned long*,unsigned long);
13. int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,unsigned long*,unsigned long,unsigned long*);
14. }
15.  
16. void Wait()
17. {
18.     MessageBox(0,"Waliedassar","waliedassar",0);
19.     //Sleep(INFINITE);
20.     return;
21. }
22.  
23.  
24. struct ThreadLastSysCallInfo
25. {
26.     unsigned long FirstArgument;
27.     unsigned short SysCallNumber;
28.     unsigned short pad;
29. };
30.  
31. int main(int argc, char* argv[])
32. {
33.  
34.     unsigned long tid=0;
35.     HANDLE hT=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&Wait,0,0,&tid);
36.     if(!hT) return 0;
37.     Sleep(1000);
38.  
39.     unsigned long length=0;
40.     ThreadLastSysCallInfo LASTCALL={0};
41.     int ret=ZwQueryInformationThread(hT,ThreadLastSystemCall,(unsigned long*)(&LASTCALL),0x8,&length);
42.     if(ret>=0)
43.     {
44.         printf("Okay\r\n");
45.         printf("First argument is %x\r\n",LASTCALL.FirstArgument); //FirstArgument
46.         printf("Last System call is %x\r\n",LASTCALL.SysCallNumber); //Syscall ordinal
47.     }
48.     else       printf("Error: %x\r\n",ret);
49.     return 0;
50. }