Log in

View Full Version : Thread32First / NtSuspendThread from DDK driver


Nido
June 15th, 2009, 01:01
Hello,

Does anyone happen to know how to enumerate threads of the current process from inside a DDK driver. i.e. what NtXXX/ZwXXX calls are used to implement it ?

I have an exact moment during a syscall entry/exit inside ring0 that I want my target program to suspend all execution of itself. Ideally I wish to manually enumerate and then suspend all other threads with NtSuspendThread() and then issue an NtSuspendProcess() to halt the final thread.

Tis is so that I can then attach a debugger to be able to single step about 50k instructions from that syscall return. I only wish the main thread (primary thread) to resume execution when the debugger attaches, so I am thinking by manually suspending threads first before the NtSuspendProcess() when the debugger restarts all but the main thread will continue to be asleep (due to Suspend Counts still being > 0). I presume NtSuspendProcess() effectively increments the suspend count to ALL threads, which means the non-main will have a count of 2, while the main a count of 1. So on process resume they are all decremented.

I already have a working DDK driver framework I am hooking syscalls with that can identify the process and the exact moment I want it to suspended.

Meanwhile I'll have to reveng the KERNEL32!CreateToolhelp32Snapshot() to see how that works.

Thanks,

Code:

Example user-space pseudo code would look something like:

hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if(hSnapshot == VALID && Thread32First(hSnapshot, &data)) {
do {
hThread = NtOpenThread(.... data.hThread ....);
if(hThread != GetCurrentThread())
SuspendThread(hThread);
CloseHandle(hThread);
} while(Thread32Next(hSnapshot, &data));
CloseHandle(hSnapshot);
}
NtSuspendProcess(GetCurrentProcess());

BanMe
June 15th, 2009, 13:52
NtQuerySystemInformation InfoClass SystemProcessThreadInformation.

NtQuerySystemInformation InfoClass SystemHandleInformation.
A example of this method mostly ready use is here:
http://www.rootkit.com/board.php?thread=11234&did=edge778&disp=11234

or you could go the blacklight route and bruteforce the ClientId.UniqueThread

im sure there are many other ways especially if your in kernel mode..;}

regards BanMe