Jump to content
Nytro

Undocumented API use - NtSetInformationThread

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Undocumented API use - NtSetInformationThread[/h]Author:

[h=1]drew77[/h]

; Use of the still undocumented NtSetInformationThread.
;
.386
.model  flat,stdcall
option  casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
include \masm32\include\ntdll.inc
include \masm32\macros\macros.asm
includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\advapi32.lib
includelib  \masm32\lib\ntdll.lib
.data
Failed  db   "Busted.",0  
Sample  db   " ",0
.code
start:
; When the function is called, the thread will continue to
; run but a debugger will no longer receive any events
; related to that thread.  Among the missing events are that
; the process has terminated, if the main thread is the
; hidden one.  This technique is used by
; HyperUnpackMe2, among others.
invoke NtSetInformationThread,-2,11h,NULL,NULL ; as of Saturday, January 12, 2013, STILL undocumented
; Details at hxxp://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtSetInformationThread.html
;thread detached if debugged
;invoke MessageBox, 0, ADDR Failed, ADDR Sample,MB_ICONINFORMATION

invoke ExitProcess,0
end     start

Sursa: Undocumented API use - NtSetInformationThread - rohitab.com - Forums

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...