How can I get all threads use 'NTQuerySytemInformation'
How can I get all threads use 'NTQuerySytemInformation'
I want to get system all threads use NTQuerySytemInformation',
How can I do?
How can I do?
Ah, so you want to *call* NtQuerySystemInformation? I thought you wanted to hook it.
Why don't you use the toolhelp functions instead to enumerate the threads? The toolhelp functions are fairly easy to use, they're official APIs and well documented.
Is there a specific reason why you don't simply use TerminateProcess?
Why don't you use the toolhelp functions instead to enumerate the threads? The toolhelp functions are fairly easy to use, they're official APIs and well documented.
Is there a specific reason why you don't simply use TerminateProcess?
-
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
Well, then probably they hooked NtQuerySystemInformation - and not the toolhelp functions! So using NtQuerySystemInformation won't help, either. Anyway, here's some documentation about the API:
http://msdn.microsoft.com/library/defau ... mation.asp
http://undocumented.ntinternals.net/Use ... ation.html
http://msdn.microsoft.com/library/defau ... mation.asp
http://undocumented.ntinternals.net/Use ... ation.html
And if Kaspersky is hooking NtQuery... then they do it in ring0 (ntosknrl.exe) So you have no chance of using this API for example AntiVirus programs which protects their own handles (process thread etc.)
Dont try to code a ring3 security program. (This should be added as a new hooking rule, but madshi doesnt see it like me, right?)
Or something like this as rule: "You cant be sure that the hooked API is 100% called. There are ways to bypass the hooking code and call the clean API. This is what you are doing with the NextHook call. Therefore Ring3 Codehooking is not good for creating security programs like AVs. They dont catch all (example) file accesses to monitor files if they hook NtCreateFile. In Ring0 there is the same Problem. But the Virus must be a driver. (see rootkit.com)"
Dont try to code a ring3 security program. (This should be added as a new hooking rule, but madshi doesnt see it like me, right?)
Or something like this as rule: "You cant be sure that the hooked API is 100% called. There are ways to bypass the hooking code and call the clean API. This is what you are doing with the NextHook call. Therefore Ring3 Codehooking is not good for creating security programs like AVs. They dont catch all (example) file accesses to monitor files if they hook NtCreateFile. In Ring0 there is the same Problem. But the Virus must be a driver. (see rootkit.com)"