+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 131
Latest: meriehileard
New This Month: 1
New This Week: 0
New Today: 0
Stats
Total Posts: 320
Total Topics: 161
Most Online Today: 6
Most Online Ever: 159
(June 29, 2021, 10:20:55 pm)
Users Online
Members: 0
Guests: 6
Total: 6

Author Topic: Monitoring process creation via NtResumeThread hook  (Read 443 times)

zwclose7

  • Administrator
  • Full Member
  • *****
  • Posts: 155
  • I love anime and science!
    • View Profile
    • My blog
Monitoring process creation via NtResumeThread hook
« on: July 22, 2016, 03:44:59 pm »
When a new process is created, it is actually created in suspended state. To start its execution, the primary thread need to be resumed. This is done by calling the NtResumeThread function on the thread.

Code: [Select]
NTSTATUS NTAPI NtResumeThread(HANDLE hThread,PULONG PreviousSuspendCount);

Because the NtResumeThread function is called when a new process is created, it is possible to monitor process creation by hooking the NtResumeThread function.

However, the parameter passed to the function is a thread handle, not process handle. In order to monitor the new process, we need the process handle.

To get the process handle, we can call the NtQueryInformationThread function on the thread to get the PID of its owner process, and then use PID to open the process handle.

With the process handle, it is possible to inject code into the new process, so the new process will get hooked as well. Any child processes created by the hooked process will be hooked too.

Here is a simple DLL that hooks the NtResumeThread function to inject itself into child processes created by the hooked process.

Code: [Select]
#include <Windows.h>
#include <TlHelp32.h>
#include <winternl.h>
#include "apihook.h"

#pragma comment(lib,"ntdll.lib")

typedef NTSTATUS (NTAPI *pNtResumeThread)(HANDLE,PULONG);

typedef struct _CLIENT_ID
{
    HANDLE UniqueProcess;
    HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef struct _THREAD_BASIC_INFORMATION
{
    NTSTATUS ExitStatus;
    PTEB TebBaseAddress;
    CLIENT_ID ClientId;
    ULONG_PTR AffinityMask;
    LONG Priority;
    LONG BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

EXTERN_C NTSTATUS NTAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);

char szDllName[1024];
API_HOOK NRTHook;

NTSTATUS NTAPI HookNtResumeThread(HANDLE hThread,PULONG SuspendCount)
{
HANDLE hProcess;
PVOID mem;
BYTE byte;
pNtResumeThread fnNtResumeThread;

THREAD_BASIC_INFORMATION tbi;

fnNtResumeThread=(pNtResumeThread)NRTHook.OrigFunction;

if(NT_SUCCESS(NtQueryInformationThread(hThread,(THREADINFOCLASS)0,&tbi,sizeof(tbi),NULL)))
{
hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,(DWORD)tbi.ClientId.UniqueProcess);

if(hProcess)
{
if(ReadProcessMemory(hProcess,NRTHook.FunctionAddress,&byte,1,NULL))
{
if(byte==0xe9)
{
NtClose(hProcess);
return fnNtResumeThread(hThread,SuspendCount);
}
}

mem=VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

if(mem)
{
WriteProcessMemory(hProcess,mem,szDllName,strlen(szDllName),NULL);
QueueUserAPC((PAPCFUNC)LoadLibraryA,hThread,(ULONG_PTR)mem);
}

NtClose(hProcess);
}
}

return fnNtResumeThread(hThread,SuspendCount);
}

BOOL WINAPI DllMain(HMODULE hModule,DWORD dwReason,LPVOID lpReserved)
{
switch(dwReason)
{
    case DLL_PROCESS_ATTACH:

GetModuleFileName(hModule,szDllName,1024);

InitAPIHook(&NRTHook,"ntdll.dll","NtResumeThread",HookNtResumeThread);
StartAPIHook(&NRTHook);
break;

case DLL_PROCESS_DETACH:
UnhookAPIHook(&NRTHook);
RemoveAPIHook(&NRTHook);
break;
}

return TRUE;
}

 

+-Recent Topics

Power Blast Keto Reviews by meriehileard
September 12, 2021, 07:38:32 pm

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am