Posted: Mon May 29, 2006 7:55 pm Post subject: ZwSetInformationThread - anti-dbg trick, but how?
I see that lot of these protectors use ZwSetInformationThread API as some anti-debug trick. Googling and finding reference, I see that ZwSetInformationThread just set thread priority !? How is that used as anti-trick?
In my case, when this API is called, Olly CPU windows just shows nothing, like nothing is loaded in it. Here is what I found:
The ZwSetInformationThread routine can be called to set the priority of a thread for which the caller has a handle.
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
Handle to a thread object. The handle for a newly-created thread is returned by the PsCreateSystemThread routine creates a handle to a new thread. Use the NtCurrentThread() macro to specify the current thread.
Specifies one of the system-defined values, ThreadPriority or ThreadBasePriority.
Pointer to a variable specifying the information to be set. If ThreadInformationClass is ThreadPriority, this value must be > LOW_PRIORITY and <= HIGH_PRIORITY. If ThreadInformationClass is ThreadBasePriority, this value must fall within the system's valid base priority range and the original priority class for the given thread: that is, if a thread's priority class is variable, that thread's base priority cannot be reset to a real-time priority value and vice versa.
Specifies the size in bytes of ThreadInformation, which must be at least sizeof(KPRIORITY).
Declared in ntddk.h. Include ntddk.h.
ZwSetInformationThread returns STATUS_SUCCESS or an error status, such as STATUS_INFO_LENGTH_MISMATCH or STATUS_INVALID_PARAMETER.
ZwSetInformationThread can be called by higher-level drivers to set the priority of a thread for which they have a handle.
The caller must have THREAD_SET_INFORMATION access rights for the given thread in order to call this routine.
Usually, device and intermediate drivers that set up driver-created threads call KeSetBasePriorityThread or KeSetPriorityThread from their driver-created threads, rather than ZwSetInformationThread. However, a driver can call ZwSetInformationThread to raise the priority of a driver-created thread before that thread is run.
Callers of ZwSetInformationThread must be running at IRQL = PASSIVE_LEVEL.
KeSetBasePriorityThread, KeSetPriorityThread, PsCreateSystemThread
Here is some sample code:
Once the ZwSetInformationThread function is called, all user mode debuggers are unable to read the process memory
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum