How to detect the kill or suspend of the thread?

Hi, all.
I’m writing a file monitoring program for sucurity.
For example, whenever the file in the specific area is moved / copied to the other area,
the log will be recorded.
In general it work well. BTW if anyone kills or suspends the monitoring thread or driver-IO thread, no log will be recorded.

I can know the termination of the thread by using PsSetCreateThreadNotifyRoutine, but it doesn’t notify the suspend of the thread.

How can i detect my thread is killed or suspended?

Thanks.

If it is a driver thread, the only component which can suspend your thread is another KM driver. If there is another driver suspending your thread/actively looking to thwart your monitoring there is nothing you can do. that driver has the same security level that you do and can undo anything you do.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, May 17, 2009 7:42 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to detect the kill or suspend of the thread?

Hi, all.
I’m writing a file monitoring program for sucurity.
For example, whenever the file in the specific area is moved / copied to the other area,
the log will be recorded.
In general it work well. BTW if anyone kills or suspends the monitoring thread or driver-IO thread, no log will be recorded.

I can know the termination of the thread by using PsSetCreateThreadNotifyRoutine, but it doesn’t notify the suspend of the thread.

How can i detect my thread is killed or suspended?

Thanks.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Doron, for your quick answer.

The thread what i want to know the state change is created by user mode app.
It repeats to receive the logs from the driver and to sent to the server.
I don’t want to deny the un-purposed termination or suspending. I want to detect only the state change of the thread by well-known tools such as process explorer.

Is there anything to do it ?

Thanks.