NtSuspendThread [Archive] - RCE Messageboard's Regroupment

ring0

January 14th, 2009, 02:46

Hi,

I am trying to understand how Ntdll!NtSuspendProcess is implemented.
I am using SoftIce debugger.

The below assembly code is taken using IDA Pro.
NtDll!NtSuspendProces-
ntdll.dll:7C90E83A ntdll_NtSuspendProcess:
ntdll.dll:7C90E83A mov eax, 0FDh
ntdll.dll:7C90E83F mov edx, offset off_7FFE0300
ntdll.dll:7C90E844 call dword ptr [edx]
ntdll.dll:7C90E846 retn 4

As you can see, EAX is set to FDh (253), which is the SSDT index.
The function call to dword ptr [edx] leads to -

ntdll.dll:7C90EB8B ntdll_KiFastSystemCall:
ntdll.dll:7C90EB8B mov edx, esp
ntdll.dll:7C90EB8D sysenter
ntdll.dll:7C90EB8F nop
ntdll.dll:7C90EB90 nop
ntdll.dll:7C90EB91 nop
ntdll.dll:7C90EB92 nop
ntdll.dll:7C90EB93 nop
ntdll.dll:7C90EB94
ntdll.dll:7C90EB94 ntdll_KiFastSystemCallRet:
ntdll.dll:7C90EB94 retn

sysenter is used instead of int 2E.
I want to debug implementation of NtSuspendProcess in ntoskrnl.exe.

I thought of using SoftIce command:
bpint 2e if (eax==FD). But this does not work.
bpint sysenter is not supported.
How do i do this?

Please help.

Thanks,
Ring0

OHPen

January 14th, 2009, 03:24

Hey,

If this is not working why not simply setting two breakpoint one at NtSuspendThread and one at the address of NtSuspendThread in KernelMemory. After tracing over the sysenter you should break at the beginning of the kernel function, if that is what you want.

Regards,

OHPen

evaluator

January 14th, 2009, 12:22

NtSuspendProcess will one by one suspend all threads of process;
(BTW, can fail on some threads!)

Elenil

January 14th, 2009, 13:37

ntdll.dll:7C90EB8D sysenter

do breakpoint here when you hit F8 it will lead you in kernel mode (you can also turn selectors on this will also show if you in kernel mode or not)
in kernel mode it will call a loop to call the SSDT table
if you use symbols for NTOSKRNL softice has a good view
btw "sysenter" doesnt call a interrupt

or try simple
"bpx ntoskrnl!NtSuspendProcess" or "bpm ntoskrnl!NtSuspendProcess x"
then see the ring0 code or step out of the code and see if some driver has called it

GamingMasteR

January 14th, 2009, 13:50

There's no need to debug it in run-time, you can analyze it statically .
As evaluator it just walk the process' threads and suspend them .

ring0

January 14th, 2009, 20:37

Thanks for all your replies.

Evaluator Said:
"NtSuspendProcess can fail on some threads!".
Can you please explain this?. On what scenarios will a thread suspend fail on a user-mode app?.

Elenil

January 15th, 2009, 07:59

Quote:

[Originally Posted by ring0;78737]Thanks for all your replies.

Evaluator Said:
"NtSuspendProcess can fail on some threads!".
Can you please explain this?. On what scenarios will a thread suspend fail on a user-mode app?.

1 scenario is : when SSDT table in ring0 for NtSuspendProcess is changed and protected for your target application

ring0

January 15th, 2009, 11:59

Do you mean, if the address of NtSuspendProcess is modified in the SSDT?
Are you referring to a SSDT hook here ?

I didnt understand your post completely. please explain.

GamingMasteR

January 15th, 2009, 13:19

SSDT-Hook or Inline-Hook of NtSuspendProcess .

evaluator

January 24th, 2009, 15:29

heey! i not mean fail becouse of hook or something wierd..
some threads can has diff status..