Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Sysmon functionality

scotts3l33tscotts3l33t Member Posts: 6

I have a potentially stupid question (let me know if it is): I have been trying to duplicate some of the functionality that is available in Sysmon. I would like to get the start address, start module, and start function from a thread that has been launched in the PsSetCreateThreadNotifyRoutine. How likely is this to be possible? How much undocumented functionality will I have to rely on? Is it even possible to get all this information from that place in the kernel?

Thanks in advance for any answers.


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    Short answer: no, nothing documented for the mere mortals to use. Why do you need this? Just for endpoint monitoring purposes?

    Long answer:

    ZwQueryInformationThread for ThreadQuerySetWin32StartAddress is how you would get the start address but it's not documented for kernel mode use (though it IS documented as NtQueryInformationThread for user mode use).

    There are no kernel API (documented or otherwise) that I know of to turn that address into the containing module. You might be able to get away with building a database of loaded modules using an ImageLoadNotify routine and using that for lookups.

    Turning that address into a name is another can of worms as that requires it to be either an export of the module or for you to have PDBs (and those will certainly only be useful in user mode).

    The Sysmon documentation is actually pretty interesting here:

    Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

    So, they're comparing it against the loaded module list (somehow) and only give you the name if the address is an export.

    If you REALLY need to duplicate this behavior it will likely be non-trivial to get correct.


  • scotts3l33tscotts3l33t Member Posts: 6
    edited May 28

    Thank you for the comment. I really appreciate you taking the time.
    From what I have been able to find, if I can get that start address from the undocumented function mentioned, I might be able to get the module name by iterating through the InMemoryOrderModuleList of the PEB. It's all undocumented, but I might be able to get two out of three bits of information.
    To answer your question, yes this a simple activity monitor, not trying to change anything.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    Be VERY careful about going down the path of walking the PEB. It's in user mode and thus it's under the control of a malicious (or stupid) user mode component. You get the fun of METHOD_NEITHER (try/except, probing, TOCTOU, etc.) combined with walking undocumented structures. Can be very easy to add a security vulnerability to the system you're monitoring.


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA