Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
advanced search  
Topics
News (14)
Tutorials (115)
Crackmes (70)
Coding (23)
Challenges
Download
Hall Of Fame
User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User
Banners
 Welcome to BiW Reversing
 Thursday, September 20 2018 @ 07:57 PM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ZwSetInformationThread - anti-dbg trick, but how?

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing
View previous topic :: View next topic  
Author Message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246
PostPosted: Mon May 29, 2006 7:55 pm    Post subject: ZwSetInformationThread - anti-dbg trick, but how? Reply with quote
I see that lot of these protectors use ZwSetInformationThread API as some anti-debug trick. Googling and finding reference, I see that ZwSetInformationThread just set thread priority !? How is that used as anti-trick?

In my case, when this API is called, Olly CPU windows just shows nothing, like nothing is loaded in it. Here is what I found:

Quote:
ZwSetInformationThread
The ZwSetInformationThread routine can be called to set the priority of a thread for which the caller has a handle.

NTSTATUS
ZwSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
Parameters
ThreadHandle
Handle to a thread object. The handle for a newly-created thread is returned by the PsCreateSystemThread routine creates a handle to a new thread. Use the NtCurrentThread() macro to specify the current thread.
ThreadInformationClass
Specifies one of the system-defined values, ThreadPriority or ThreadBasePriority.
ThreadInformation
Pointer to a variable specifying the information to be set. If ThreadInformationClass is ThreadPriority, this value must be > LOW_PRIORITY and <= HIGH_PRIORITY. If ThreadInformationClass is ThreadBasePriority, this value must fall within the system's valid base priority range and the original priority class for the given thread: that is, if a thread's priority class is variable, that thread's base priority cannot be reset to a real-time priority value and vice versa.
ThreadInformationLength
Specifies the size in bytes of ThreadInformation, which must be at least sizeof(KPRIORITY).
Headers
Declared in ntddk.h. Include ntddk.h.

Return Value
ZwSetInformationThread returns STATUS_SUCCESS or an error status, such as STATUS_INFO_LENGTH_MISMATCH or STATUS_INVALID_PARAMETER.

Comments
ZwSetInformationThread can be called by higher-level drivers to set the priority of a thread for which they have a handle.

The caller must have THREAD_SET_INFORMATION access rights for the given thread in order to call this routine.

Usually, device and intermediate drivers that set up driver-created threads call KeSetBasePriorityThread or KeSetPriorityThread from their driver-created threads, rather than ZwSetInformationThread. However, a driver can call ZwSetInformationThread to raise the priority of a driver-created thread before that thread is run.

Callers of ZwSetInformationThread must be running at IRQL = PASSIVE_LEVEL.

See Also
KeSetBasePriorityThread, KeSetPriorityThread, PsCreateSystemThread

Built on Friday, April 11, 2003



Is it some ring0 thingy?
Back to top
View user's profile Send private message
TheHyper
New to the board
New to the board


Joined: 02 May 2006
Posts: 12
PostPosted: Wed May 31, 2006 4:16 pm    Post subject: Reply with quote
Damn, I was planning to include this trick in my new unpackme Sad

The ZwSetInformationThread allows us to increase the thread priority plus other things

Okay, here is the function definition:

NTSYSAPI NTSTATUS NTAPI ZwSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);

Here are the possible values for THREADINFOCLASS:

typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS;

Here is some sample code:
void main()
{
int id=(int)GetCurrentThread();
GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetInformationThread");
_asm
{
push 0
push NULL
push ThreadHideFromDebugger
push id
call eax
}
}

Once the ZwSetInformationThread function is called, all user mode debuggers are unable to read the process memory Cool
Back to top
View user's profile Send private message Visit poster's website
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246
PostPosted: Wed May 31, 2006 6:52 pm    Post subject: Reply with quote
Thanks , I didn't know that. Is that ThreadHideFromDebugger boolean value, like 1 and 0 ? I'm gona check some files now.

Btw, how it's going with your protector, when we will see new unpackme?
Back to top
View user's profile Send private message
TheHyper
New to the board
New to the board


Joined: 02 May 2006
Posts: 12
PostPosted: Wed May 31, 2006 8:53 pm    Post subject: Reply with quote
ThreadHideFromDebugger is 17(0x11)

I have fixed all the previous vulnerabilities and added some anti-debugging tricks Very Happy

I am trying to think of a cool api redirection and binary code obfuscation.
Hopefully, I will be releasing my new unpackme within 2 weeks.

I must make it a real hard nut to crack Twisted Evil
Back to top
View user's profile Send private message Visit poster's website
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246
PostPosted: Thu Jun 01, 2006 11:53 am    Post subject: Reply with quote
Yep, I sow in some files that it pushes 11.

Hard you sad. Well, I'm waiting for it Cool I like interesting unpackmes.


See you Wink
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2018 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.05 seconds