Jump to content
Tuts 4 You

Hiding Threads From Debuggers


waliedassar

Recommended Posts

This is a really interesting article, thank you.

Do you have some more information about ZwCreateThreadEx?

Scylla is using this function already for dll injection:


#define THREAD_ALL_ACCESS_VISTA_7 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
//for windows vista/7
ntStatus = NativeWinApi::NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS_VISTA_7, 0, hProcess, (LPTHREAD_START_ROUTINE)lpStartAddress, (LPVOID)lpParameter, TRUE, 0, 0, 0, 0);

I guess the public known prototyp is wrong:


typedef NTSTATUS (WINAPI *def_NtCreateThreadEx)(PHANDLE hThread,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,BOOL CreateSuspended,ULONG StackZeroBits,LPVOID SizeOfStackCommit,LPVOID SizeOfStackReserve,LPVOID lpBytesBuffer);

BOOL CreateSuspended -> Scylla is using TRUE (1) to create a suspended thread. But I guess it can be combined with 0x4, so the name is wrong. Are there any other tricks with this api?

Link to comment

The prototype you have mentioned is fine except that the 7th parameter should be "long Flags" instead of "BOOL CreateSuspended". As i can see in disassembly, there are only four allowed flags.
flags_allowed.png
0x1 --> CreateSuspended
0x2 --> SuppressDllMains (Don't call DllMain's and TLS callbacks for DLL_THREAD_ATTACH/DETACH)
0x4 --> HideFromDebugger
0x8--> ???Bit 0x8 causes some bit at the thread's TEB to be set (at offset 0xFCA from the start of 32-bit TEB). Still under study.

Edited by waliedassar
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...