Terminating a thread from within PsSetCreateThreadNotifyRoutine

Let’s say I detected some malicious thread in PsSetCreateThreadNotifyRoutine
How would I be able to terminate it?

ZwTerminateThread isn’t exported, so I thought of injecting an APC or call PsSetCreateThreadNotifyRoutineEx in the context of the created thread, but there isn’t a function like ExitThread exposed in kernel.

I know I can set PsSetLoadImageNotifyRoutine and keep in a some process context structure the address of ExitThread in kernel32 and maybe I could manage to open a usermode APC on that address, but that sounds far too complicated to do in kernel and I try to find some elegant way of achieving this.

Any thoughts?

Let’s say I detected some malicious thread in PsSetCreateThreadNotifyRoutine

How can you possibly decide that a THREAD(!!!) is malicious right upon the moment of its creation??? After all, a thread is nothing more that just a unit of scheduling. You can make such a bold decision concerning the process or module because they are backed up by the executable section, but when it comes to threads…

How would I be able to terminate it? ZwTerminateThread isn’t exported

What about doing it from the userland helper?

Anton Bassov