I want to alter the stack of a newly created remote thread, but upon

Question

0

Asked: May 27, 20262026-05-27T10:37:54+00:00 2026-05-27T10:37:54+00:00

I want to alter the stack of a newly created remote thread, but upon

0

I want to alter the stack of a newly created remote thread, but upon invoking CreateRemoteThread to create a thread in a suspended state, the stack has not been allocated.

I’m using GetThreadContext to get the address of ESP after creating the suspended thread, though if I look at this address in my disassembly window in the VS debugger, it has not been allocated. Also, writing to this address using WriteProcessMemory fails every time.

How can I edit the stack of a newly created but suspended remote thread?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T10:37:55+00:00

When you get thread handle, its stack is allocated, (as well as TIB structure).

MSVS debugger may show wrong information, so don’t rely on it.
I’m not sure if thread context has correct values, maybe it’s set later.

You should use TIB structure to get stack addresses, if it’s really what you need.

If you just want to call function remotely before thread function invocation, you can use QueueUserAPC or RtlRemoteCall, both works when thread is created with CREATE_SUSPENDED flag.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I want to alter the stack of a newly created remote thread, but upon

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply