Hiding Threads From Debuggers

[waliedassar]

My lastest blog post where i discuss in detail the topic of hiding threads from debuggers.

http://waleedassar.b...-debuggers.html

Have fun.

Edited November 24, 2012 by waliedassar

[haggar]

Very nice. I must admit that I didn't know for this trick.

[Aguila]

This is a really interesting article, thank you.

Do you have some more information about ZwCreateThreadEx?

Scylla is using this function already for dll injection:

   #define THREAD_ALL_ACCESS_VISTA_7 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
   //for windows vista/7
   ntStatus = NativeWinApi::NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS_VISTA_7, 0, hProcess, (LPTHREAD_START_ROUTINE)lpStartAddress, (LPVOID)lpParameter, TRUE, 0, 0, 0, 0);

I guess the public known prototyp is wrong:

typedef NTSTATUS (WINAPI *def_NtCreateThreadEx)(PHANDLE hThread,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,ULONG StackZeroBits,LPVOID SizeOfStackCommit,LPVOID SizeOfStackReserve,LPVOID lpBytesBuffer);

BOOL CreateSuspended -> Scylla is using TRUE (1) to create a suspended thread. But I guess it can be combined with 0x4, so the name is wrong. Are there any other tricks with this api?

[waliedassar]

The prototype you have mentioned is fine except that the 7th parameter should be "long Flags" instead of "BOOL CreateSuspended". As i can see in disassembly, there are only four allowed flags.

0x1 --> CreateSuspended
0x2 --> SuppressDllMains (Don't call DllMain's and TLS callbacks for DLL_THREAD_ATTACH/DETACH)
0x4 --> HideFromDebugger
0x8--> ???Bit 0x8 causes some bit at the thread's TEB to be set (at offset 0xFCA from the start of 32-bit TEB). Still under study.

Edited December 7, 2012 by waliedassar