Let’s say I detected some malicious thread in PsSetCreateThreadNotifyRoutine
How would I be able to terminate it?
ZwTerminateThread isn’t exported, so I thought of injecting an APC or call PsSetCreateThreadNotifyRoutineEx in the context of the created thread, but there isn’t a function like ExitThread exposed in kernel.
I know I can set PsSetLoadImageNotifyRoutine and keep in a some process context structure the address of ExitThread in kernel32 and maybe I could manage to open a usermode APC on that address, but that sounds far too complicated to do in kernel and I try to find some elegant way of achieving this.
Any thoughts?