Sysmon functionality

I have a potentially stupid question (let me know if it is): I have been trying to duplicate some of the functionality that is available in Sysmon. I would like to get the start address, start module, and start function from a thread that has been launched in the PsSetCreateThreadNotifyRoutine. How likely is this to be possible? How much undocumented functionality will I have to rely on? Is it even possible to get all this information from that place in the kernel?

Thanks in advance for any answers.

Short answer: no, nothing documented for the mere mortals to use. Why do you need this? Just for endpoint monitoring purposes?

Long answer:

ZwQueryInformationThread for ThreadQuerySetWin32StartAddress is how you would get the start address but it’s not documented for kernel mode use (though it IS documented as NtQueryInformationThread for user mode use).

There are no kernel API (documented or otherwise) that I know of to turn that address into the containing module. You might be able to get away with building a database of loaded modules using an ImageLoadNotify routine and using that for lookups.

Turning that address into a name is another can of worms as that requires it to be either an export of the module or for you to have PDBs (and those will certainly only be useful in user mode).

The Sysmon documentation is actually pretty interesting here:

Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

So, they’re comparing it against the loaded module list (somehow) and only give you the name if the address is an export.

If you REALLY need to duplicate this behavior it will likely be non-trivial to get correct.

1 Like

Scott,
Thank you for the comment. I really appreciate you taking the time.
From what I have been able to find, if I can get that start address from the undocumented function mentioned, I might be able to get the module name by iterating through the InMemoryOrderModuleList of the PEB. It’s all undocumented, but I might be able to get two out of three bits of information.
To answer your question, yes this a simple activity monitor, not trying to change anything.

Be VERY careful about going down the path of walking the PEB. It’s in user mode and thus it’s under the control of a malicious (or stupid) user mode component. You get the fun of METHOD_NEITHER (try/except, probing, TOCTOU, etc.) combined with walking undocumented structures. Can be very easy to add a security vulnerability to the system you’re monitoring.