[R00tKit]

hi
how can prevent code injection with " CreateRemoteThread " in kerne-model? hook ZwCreateThread or use PsSetCreateThreadNotifyRoutine can be useful ?

what about other code injection method ?

[a_d_13]

Hello,

CreateRemoteThread on Windows Vista calls NtCreateThreadEx. Hooking this will work. To do this without hooking, you can use ObRegisterCallbacks to deny PROCESS_CREATE_THREAD to any process.

Thanks,
--AD

[R00tKit]

thanks

Code: Select all

CreateRemoteThread on Windows Vista calls NtCreateThreadEx

how can i find this ? i use WinDBG with Disassembling , but in some api cant understand

my host os is Xp so cant use ObRegisterCallbacks

i used PsSetCreateThreadNotifyRoutine and for realize if thread is remote thread i compare thread PID with current process PID , but it have problem when process is created :cry:

and dont know with which policy allow or deny remote thread , some useful app need remote thread ! should use white list ?

[EP_X0FF]

Out of curiosity, please show your code.

how can i find this ? i use WinDBG with Disassembling , but in some api cant understand

open dll in any disassembler.