Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Hiding Threads From Debuggers

waliedassar
waliedassar
in Reverse Engineering Articles

Featured Replies

Posted

My lastest blog post where i discuss in detail the topic of hiding threads from debuggers.

http://waleedassar.b...-debuggers.html

Have fun.

Edited by waliedassar

    • Like 5

    Very nice. I must admit that I didn't know for this trick.

    This is a really interesting article, thank you.

    Do you have some more information about ZwCreateThreadEx?

    Scylla is using this function already for dll injection:


       #define THREAD_ALL_ACCESS_VISTA_7 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
       //for windows vista/7
       ntStatus = NativeWinApi::NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS_VISTA_7, 0, hProcess, (LPTHREAD_START_ROUTINE)lpStartAddress, (LPVOID)lpParameter, TRUE, 0, 0, 0, 0);

    I guess the public known prototyp is wrong:


    typedef NTSTATUS (WINAPI *def_NtCreateThreadEx)(PHANDLE hThread,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,ULONG StackZeroBits,LPVOID SizeOfStackCommit,LPVOID SizeOfStackReserve,LPVOID lpBytesBuffer);

    BOOL CreateSuspended -> Scylla is using TRUE (1) to create a suspended thread. But I guess it can be combined with 0x4, so the name is wrong. Are there any other tricks with this api?

    • Author

    The prototype you have mentioned is fine except that the 7th parameter should be "long Flags" instead of "BOOL CreateSuspended". As i can see in disassembly, there are only four allowed flags.
    flags_allowed.png
    0x1 --> CreateSuspended
    0x2 --> SuppressDllMains (Don't call DllMain's and TLS callbacks for DLL_THREAD_ATTACH/DETACH)
    0x4 --> HideFromDebugger
    0x8--> ???Bit 0x8 causes some bit at the thread's TEB to be set (at offset 0xFCA from the start of 32-bit TEB). Still under study.

    Edited by waliedassar

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.