Menu
I'm working on a process which analizes what another process does.
It checks the CPU, memory usage, threads creating and dying, etc.
Unfortunately I have an antivirus installed on my computer which creates a remote thread in my examined process. This remote thread is not really a part of the process so I'd like to ignore this thread completley while examining the process.
Is there a way (in C++) which allows us to identify a thread as a "remote thread"?
485
If you are willing to go kernel mode PsSetCreateThreadNotifyRoutine may be of interest to you. According to Uninformed it is called in the context of the process 'that is creating or terminating the thread'. I have also seen this suggested elsewhere.
I got round to testing this, it works fine. You should note that you will see a number of false positives as Windows (unsurprisingly) does some injection itself. <EDIT> This is actually caused because on process creation as the first thread is created it will be done in the context of the parent process. Simply eliminate first thread creation and this gives a pretty good indication. </EDIT>
The main draw back (other than having to write a driver) would be you need to see the creation happen, so your process needs to start first.
Alternatively, as mentioned, heuristics involving stack traces, loaded modules and all that good stuff come into play.
172
Internally there is no distinction between threads created with CreateThread and threads created with CreateRemoteThread. (Interally, CreateThread basically calls CreateRemoteThread and passes GetCurrentProcess() as the target process.) If you want to distinguish the threads, you will have to use heuristics.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
