Is it possible to hook APC creation at kernel level, for example triggered with QueueUserAPC()? Not user mode API hook and not kernel mode SSDT hook or splicing over code.
Not possible.
not without an hypervisor
On Mon, May 8, 2017 at 8:08 AM, wrote:
> Not possible.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
- ab</http:></http:>
Is there notification/hook as above for thread state change? Then it would be possible to know that a thread was in sleeping alertable state and later - was waked up.
I’ll be the one to ask the time-honored NTDEV question:
What are you trying to ultimately achieve? If you tell us your overall goal, we can help you better.
Peter
OSR
@OSRDrivers
The aim is to hook process injection using APC, either from user mode or from kernel mode. Thread injection hook is trivial.
xxxxx@gmail.com wrote:
Is there notification/hook as above for thread state change? Then it would be possible to know that a thread was in sleeping alertable state and later - was waked up.
That’s a Catch-22. In order to send the notification that a thread had
been awakened, you would have to put the thread to sleep.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.