How to create a thread in a user mode application from kernel mode?

OSR_Community_User · July 13, 2012, 4:25pm

Hello all,

Is there a way for a kernel mode minifilter to start a thread (i.e. basically, do the equivalent of CreateRemoteThread, including parameter) in a user mode application? I am guessing the answer is no, but I’m not sure which is why I am asking.

Don_Burn · July 13, 2012, 4:33pm

The answer is no. What are you trying to do that you think you need
this?

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in
message news:xxxxx@ntdev:

> Hello all,
>
> Is there a way for a kernel mode minifilter to start a thread (i.e. basically, do the equivalent of CreateRemoteThread, including parameter) in a user mode application? I am guessing the answer is no, but I’m not sure which is why I am asking.

OSR_Community_User · July 13, 2012, 4:42pm

We’d like to develop sophisticated monitoring software for compliance auditing purposes which require us to inject a DLL in running processes (since the existing facilities of the operating system are insufficient when it comes to providing us with the level of granularity we are looking to achieve). We looked into just starting a process in each user session, but we are having issues with that. And we certainly could not do cross session “CreateRemoteThread” since that no longer works. So I am trying to figure out if there is a more ubiquitous way of reliably calling CreateRemoteThread in every starting process. I know that it’s pretty easy of the process loads USER32.DLL, but if it doesn’t then it’s trickier. Too bad Microsoft could not do a KERNEL32.DLL equivalent of AppInit_DLLs, that would have made life infinitely simple for many developers.

Doron_Holan · July 13, 2012, 4:50pm

What problem are you trying to solve?

d

debt from my phone

From: xxxxx@hotmail.com
Sent: 7/13/2012 1:25 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to create a thread in a user mode application from kernel mode?

Hello all,

Is there a way for a kernel mode minifilter to start a thread (i.e. basically, do the equivalent of CreateRemoteThread, including parameter) in a user mode application? I am guessing the answer is no, but I’m not sure which is why I am asking.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · July 13, 2012, 4:54pm

Explained in my previous post…

Peter_Viscarola_OSR · July 13, 2012, 4:57pm

“sophisticated monitoring software for compliance auditing” == { }

http://www.osronline.com/downloads/pp_asking.pdf

There’s usually a better way to do what you NEED to do, without resorting to DLL injection.

Peter
OSR

OSR_Community_User · July 13, 2012, 5:01pm

*Sigh* I wish I could go more into details, but I won’t be doing it in an open forum.

Peter_Viscarola_OSR · July 13, 2012, 5:11pm

And I’m sure we all wish we could help you. But a marketing tag line does not an engineering problem statement make.

Sorry,

Peter
OSR

Peter_Viscarola_OSR · July 13, 2012, 5:16pm

(you see we had this thread earlier this week: http://www.osronline.com/showthread.cfm?link=228711)

OSR_Community_User · July 13, 2012, 5:35pm

Yeah, I saw that seconds after posting this thread. Feel free to nuke this thread since it’s redundant.

TheOldOne · July 18, 2012, 2:51am

I’m a bit late to the party, but FYI, creating a remote thread in a newly
started process is a very bad idea. The remote thread might start running
before the real main thread does. All modules of the process will then get
DLL_PROCESS_ATTACH events for the remote thread first, before the
DLL_PROCESS_ATTACH events for the main thread. As a result all modules will
then consider your remote thread to be the main thread. Many applications
still run fine this way, but some don’t. You should generally not create
remote threads for newly started (not yet fully initialized) processes.

Since “advertizing” is not allowed in this list, if you want to know one
possible solution to your problem, drop me a private email.

Best regards, Mathias.

2012/7/13

> We’d like to develop sophisticated monitoring software for compliance
> auditing purposes which require us to inject a DLL in running processes
> (since the existing facilities of the operating system are insufficient
> when it comes to providing us with the level of granularity we are looking
> to achieve). We looked into just starting a process in each user session,
> but we are having issues with that. And we certainly could not do cross
> session “CreateRemoteThread” since that no longer works. So I am trying to
> figure out if there is a more ubiquitous way of reliably calling
> CreateRemoteThread in every starting process. I know that it’s pretty easy
> of the process loads USER32.DLL, but if it doesn’t then it’s trickier. Too
> bad Microsoft could not do a KERNEL32.DLL equivalent of AppInit_DLLs, that
> would have made life infinitely simple for many developers.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>