How can I get all threads use 'NTQuerySytemInformation'

delphi package - easy access to kernel objects etc.
Post Reply
jzjjony
Posts: 15
Joined: Mon Jan 23, 2006 12:33 pm

How can I get all threads use 'NTQuerySytemInformation'

Post by jzjjony »

I want to get system all threads use NTQuerySytemInformation',
How can I do?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

For what purpose do you need this? It's usually used by trojans and viruses, so madCodeHook generally does not allow hooking of this API.
jzjjony
Posts: 15
Joined: Mon Jan 23, 2006 12:33 pm

Post by jzjjony »

I want to use terminatethread to terminate process,but some process's theads I can't get them
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Ah, so you want to *call* NtQuerySystemInformation? I thought you wanted to hook it.

Why don't you use the toolhelp functions instead to enumerate the threads? The toolhelp functions are fairly easy to use, they're official APIs and well documented.

Is there a specific reason why you don't simply use TerminateProcess?
Arksole Hoax
Posts: 211
Joined: Sat May 08, 2004 11:41 am

Post by Arksole Hoax »

Are there some "hidden" processes or cant you just "kill" them?
jzjjony
Posts: 15
Joined: Mon Jan 23, 2006 12:33 pm

Post by jzjjony »

So,use The toolhelp functions can enumerate mostly process's threads,
but a little can not,such as Kaspersky's process,i think he hooked The toolhelp functions ,i purpose to make a new "task manager",it can terminate all processes
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Well, then probably they hooked NtQuerySystemInformation - and not the toolhelp functions! So using NtQuerySystemInformation won't help, either. Anyway, here's some documentation about the API:

http://msdn.microsoft.com/library/defau ... mation.asp
http://undocumented.ntinternals.net/Use ... ation.html
uall
Posts: 254
Joined: Sun Feb 20, 2005 1:24 pm

Post by uall »

And if Kaspersky is hooking NtQuery... then they do it in ring0 (ntosknrl.exe) So you have no chance of using this API for example AntiVirus programs which protects their own handles (process thread etc.)

Dont try to code a ring3 security program. (This should be added as a new hooking rule, but madshi doesnt see it like me, right?)
Or something like this as rule: "You cant be sure that the hooked API is 100% called. There are ways to bypass the hooking code and call the clean API. This is what you are doing with the NextHook call. Therefore Ring3 Codehooking is not good for creating security programs like AVs. They dont catch all (example) file accesses to monitor files if they hook NtCreateFile. In Ring0 there is the same Problem. But the Virus must be a driver. (see rootkit.com)"
Post Reply