Threads/Processes tables

Hi,

Introduction:
*********************
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process

The Query:
********************
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?

Any help sample or comment would be appreciated.

ThanX
Nadav.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Hook the NtCreateThread syscall and maintain your own tables.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables

Hi,

Introduction:
*********************
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process

The Query:
********************
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?

Any help sample or comment would be appreciated.

ThanX
Nadav.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Maxim,

Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]

Many thanks,
Nadav.

“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables

Hi,

Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process

The Query:

How can I archive that? I guess I have to get access to the process/thread tables how should I do that?

Any help sample or comment would be appreciated.

ThanX
Nadav.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

In addition I have to be able to convert a usermode Process ID to a kernel _EPROCESS
OR
To be able to iterate the process table for all available process…

How do I do that?

Nadav wrote:
Hi Maxim,

Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]

Many thanks,
Nadav.

“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables

Hi,

Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process

The Query:

How can I archive that? I guess I have to get access to the process/thread tables how should I do that?

Any help sample or comment would be appreciated.

ThanX
Nadav.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out!

PsLookupProcessByProcessId

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 2:49 PM
Subject: Re: [ntfsd] Threads/Processes tables

In addition I have to be able to convert a usermode Process ID to a kernel _EPROCESS
OR
To be able to iterate the process table for all available process…

How do I do that?

Nadav wrote:
Hi Maxim,

Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]

Many thanks,
Nadav.

“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables

Hi,

Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process

The Query:

How can I archive that? I guess I have to get access to the process/thread tables how should I do that?

Any help sample or comment would be appreciated.

ThanX
Nadav.

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com

------------------------------------------------------------------------------
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out! — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com