Hi,
Introduction:
*********************
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process
The Query:
********************
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?
Any help sample or comment would be appreciated.
ThanX
Nadav.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Hook the NtCreateThread syscall and maintain your own tables.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables
Hi,
Introduction:
*********************
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process
The Query:
********************
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?
Any help sample or comment would be appreciated.
ThanX
Nadav.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Maxim,
Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]
Many thanks,
Nadav.
“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables
Hi,
Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process
The Query:
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?
Any help sample or comment would be appreciated.
ThanX
Nadav.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
In addition I have to be able to convert a usermode Process ID to a kernel _EPROCESS
OR
To be able to iterate the process table for all available process…
How do I do that?
Nadav wrote:
Hi Maxim,
Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]
Many thanks,
Nadav.
“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables
Hi,
Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process
The Query:
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?
Any help sample or comment would be appreciated.
ThanX
Nadav.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out!
PsLookupProcessByProcessId
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 2:49 PM
Subject: Re: [ntfsd] Threads/Processes tables
In addition I have to be able to convert a usermode Process ID to a kernel _EPROCESS
OR
To be able to iterate the process table for all available process…
How do I do that?
Nadav wrote:
Hi Maxim,
Thanks for your immediate responce, I need to access the thread tables ( KPROCESS::ThreadListHead ) Only for read access… would it really be needed to manage my own list for that? and what if I am ‘scanning’ an existing process for ‘injected threads’ how should I support this scenarion [???]
Many thanks,
Nadav.
“Maxim S. Shatskih” wrote:
Hook the NtCreateThread syscall and maintain your own tables.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Sunday, June 05, 2005 1:04 PM
Subject: [ntfsd] Threads/Processes tables
Hi,
Introduction:
*
I am writing an application that need to identify process that have an injected thread, an injected thread is a thread whose creating process is different then the owning process
The Query:
How can I archive that? I guess I have to get access to the process/thread tables how should I do that?
Any help sample or comment would be appreciated.
ThanX
Nadav.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com
------------------------------------------------------------------------------
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out! — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com