Results 1 to 2 of 2

Thread: Thread32First / NtSuspendThread from DDK driver

  1. #1

    Thread32First / NtSuspendThread from DDK driver

    Hello,

    Does anyone happen to know how to enumerate threads of the current process from inside a DDK driver. i.e. what NtXXX/ZwXXX calls are used to implement it ?

    I have an exact moment during a syscall entry/exit inside ring0 that I want my target program to suspend all execution of itself. Ideally I wish to manually enumerate and then suspend all other threads with NtSuspendThread() and then issue an NtSuspendProcess() to halt the final thread.

    Tis is so that I can then attach a debugger to be able to single step about 50k instructions from that syscall return. I only wish the main thread (primary thread) to resume execution when the debugger attaches, so I am thinking by manually suspending threads first before the NtSuspendProcess() when the debugger restarts all but the main thread will continue to be asleep (due to Suspend Counts still being > 0). I presume NtSuspendProcess() effectively increments the suspend count to ALL threads, which means the non-main will have a count of 2, while the main a count of 1. So on process resume they are all decremented.

    I already have a working DDK driver framework I am hooking syscalls with that can identify the process and the exact moment I want it to suspended.

    Meanwhile I'll have to reveng the KERNEL32!CreateToolhelp32Snapshot() to see how that works.

    Thanks,

    Code:
    Example user-space pseudo code would look something like:
    
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if(hSnapshot == VALID && Thread32First(hSnapshot, &data)) {
     do {
       hThread = NtOpenThread(.... data.hThread ....);
       if(hThread != GetCurrentThread())
         SuspendThread(hThread);
       CloseHandle(hThread);
     } while(Thread32Next(hSnapshot, &data));
     CloseHandle(hSnapshot);
    }
    NtSuspendProcess(GetCurrentProcess());

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    NtQuerySystemInformation InfoClass SystemProcessThreadInformation.

    NtQuerySystemInformation InfoClass SystemHandleInformation.
    A example of this method mostly ready use is here:
    http://www.rootkit.com/board.php?thread=11234&did=edge778&disp=11234

    or you could go the blacklight route and bruteforce the ClientId.UniqueThread

    im sure there are many other ways especially if your in kernel mode..;}

    regards BanMe
    Last edited by BanMe; June 15th, 2009 at 13:58.

Similar Threads

  1. NtSuspendThread
    By ring0 in forum The Newbie Forum
    Replies: 9
    Last Post: January 24th, 2009, 15:29
  2. TPkd driver won't install
    By LumpBeats in forum The Newbie Forum
    Replies: 2
    Last Post: October 16th, 2007, 15:57
  3. patching a sys driver
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: December 4th, 2005, 06:02
  4. Help trackin IO from a driver
    By isis in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: March 1st, 2001, 08:12
  5. driver the game
    By hoekeirs in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: February 24th, 2001, 17:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •