[kmd]

hi , i need to identify alertable threads from user mode.
is the any way to do that?

for now i use "eprocess" utility, but he doing this from kernel driver.

[nullptr]

Nt/ZwQuerySystemInformation(...) with type SystemProcessesAndThreadsInformation
The thread array struct for each process struct has a THREAD_STATE member.

[kmd]

thx for reply


but many threads has "Waiting" state not only alertable unfortunately, this is verified by "Eprocess" utility
you can double check with windbg - take lsass.exe as example
i cannot filter alertable threads by just using ThreadState member

[Brock]

KMD, it's obvious you are looking to execute your own APC code or am I mistaken? Are you interested in APC code or DLL injection? I have written a library to do exactly this, I spawn a remote thread in a suspended state within the target process with a thread start address of RtlExitUserThread, then I simply queue an APC of my choosing to this newly created thread (NtQueueApcThread), once you resume the newly created remote thread your APC will be carried out immediately since threads exiting will execute any APCs still in their queue. With this way, and using RtlCreateUserThread instead of CreateRemoteThread (if it fails on a process, use Rtl* variant), you can bypass Vista+ process session isolation.

By the way, forcing a preexisting thread in a remote process (a thread which you do not own) to become alertable on-the-fly can crash the target process, and if this process is critical or a system component, the entire OS can become unstable.

[kmd]

hi Brock

tnx for reply.

yes i looking for APC code injection. I can not use CreateRemoteThread otherwise problem solves in five minutes :)
i need to know exactly if thread is alertable (yeah i know about eprocess flag) but i need to do this in pure usermode. i have only valid handle for thread and cannot use NtWriteVirtualMemory, CreateRemoteThread, RtlCreateUserThread etc.

[Brock]

I am not aware of a way to check if a thread is alertable in real-time from usermode. Anyhow, if you read what nullptr said this is the closest you can come I believe. Check the ThreadState and WaitReason members. If the ThreadState is Waiting (5) then this thread would be of interest to possibly queue an APC to. WaitReason will reveal the reason for the wait. An example of this might be DelayExecution (4), the thread might be currently processing a call to Sleep/SleepEx.

In that example however, the numbers will still be the same (State: 5 WaitReason: 4) for the thread but SleepEx with its 2nd arg equal to True means it would be alertable whereas Sleep() would never be. It wouldn't hurt to queue the same APC to any threads you enumerate currently in a wait state or even all existing threads in the process, since a thread who is not currently waiting may enter an alertable wait state later. I noticed however that you mention not having access to writing to the target's address space (NtWriteVirtualMemory), how do you expect to execute custom APC code within that process then? A different method perhaps such as ZwMapViewOfSection etc? Please elaborate on this.

You can look at WaitReasons here

Code: Select all

typedef enum _KWAIT_REASON { Executive, FreePage, PageIn, PoolAllocation, DelayExecution, Suspended, UserRequest, WrExecutive, WrFreePage, WrPageIn, WrPoolAllocation, WrDelayExecution, WrSuspended, WrUserRequest, WrEventPair, WrQueue, WrLpcReceive, WrLpcReply, WrVirtualMemory, WrPageOut, WrRendezvous, Spare2, Spare3, Spare4, Spare5, Spare6, WrKernel, MaximumWaitReason } KWAIT_REASON;

[EP_X0FF]

I noticed however that you mention not having access to writing to the target's address space (NtWriteVirtualMemory), how do you expect to execute custom APC code within that process then?

He will locate some string in memory (for example ernel32.dll, ser32.dll), place a special dll somewhere on search paths and execute APC with LoadLibraryXXX call and this address as parameter. This is very old trick.

[newgre]

Still, the string needs to be written to the process. So I don't see how this can be accomplished without writing to the foreign process at all.

[EP_X0FF]

Still, the string needs to be written to the process. So I don't see how this can be accomplished without writing to the foreign process at all.

String already in process no write memory is required at all. This method is known for years and have been successfully used by many malware.

[Brock]

@EP_X0FF: Yes, that trick is very old and nothing new, was curious to what his method is though.