There is a couple of points that i need to add for whom it may concern regarding the « NtSetInformationThread » function with the « ThreadInformationClass » parameter set to 0×11 (ThreadHideFromDebugger):
1) The « InformationLength » parameter must be zero. Any non-zero value passed in this parameter will cause the function to fail.
2) This function call seems to be one-way i.e. once you set the thread as hidden, you can’t call the function again to unhide it.
J’ai un petit souci avec NtSetInformationThread / ThreadHideFromDebugger, la variable status vaut toujours NULL quelque soit l’éthat du thread debuggé ou pas.
4 Comments
1. Anonyme | mai 16th, 2007 at 10:26
Hihi. merchi :p
2. andrewl | octobre 22nd, 2010 at 08:20
sorry to raise old post, but I just encountered this trick in very expensive target and was lucky to find your page – thanks for posting!
3. waliedassar | novembre 2nd, 2012 at 19:10
Merci for this nice stuff.
There is a couple of points that i need to add for whom it may concern regarding the « NtSetInformationThread » function with the « ThreadInformationClass » parameter set to 0×11 (ThreadHideFromDebugger):
1) The « InformationLength » parameter must be zero. Any non-zero value passed in this parameter will cause the function to fail.
2) This function call seems to be one-way i.e. once you set the thread as hidden, you can’t call the function again to unhide it.
4. Noteworthy | avril 23rd, 2013 at 13:07
Salut Ivan,
J’ai un petit souci avec NtSetInformationThread / ThreadHideFromDebugger, la variable status vaut toujours NULL quelque soit l’éthat du thread debuggé ou pas.
Je tourne sur Win7 SP1 x64 virtualisé.
Voilà mon code :
http://www.dpaste.org/0pIIy/
Trackback this post