Text only | Text with Images

The MASM Forum

Miscellaneous => The Orphanage => Topic started by: Magnum on January 13, 2013, 01:49:03 PM

Title: Still some undocumented APIs
Post by: Magnum on January 13, 2013, 01:49:03 PM
Code Select

; Use of the still undocumented NtSetInformationThread.
02 ;
03 .386
04 .model  flat,stdcall
05 option  casemap:none
06 include \masm32\include\windows.inc
07 include \masm32\include\user32.inc
08 include \masm32\include\kernel32.inc
09 include \masm32\include\advapi32.inc
10 include \masm32\include\ntdll.inc
11 include \masm32\macros\macros.asm
12 includelib  \masm32\lib\kernel32.lib
13 includelib  \masm32\lib\user32.lib
14 includelib  \masm32\lib\advapi32.lib
15 includelib  \masm32\lib\ntdll.lib
16 .data
17 Failed  db   "Busted.",0
18 Sample  db   " ",0
19 .code
20 start:
21 ; When the function is called, the thread will continue to
22 ; run but a debugger will no longer receive any events
23 ; related to that thread.  Among the missing events are that
24 ; the process has terminated, if the main thread is the
25 ; hidden one.  This technique is used by
26 ; HyperUnpackMe2, among others.
27 invoke NtSetInformationThread,-2,11h,NULL,NULL ; as of Saturday, January 12, 2013, STILL undocumented
28 ; Details at <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtSetInformationThread.html" class="bbc_url" title="External link" rel="nofollow external">http://undocumented....tionThread.html</a>
29 ;thread detached if debugged
30 ;invoke MessageBox, 0, ADDR Failed, ADDR Sample,MB_ICONINFORMATION
31                    
32 invoke ExitProcess,0
33 end  start
Title: Re: Still some undocumented APIs
Post by: qWord on January 13, 2013, 09:11:40 PM
Any deeper meaning in this post?

ZwSetInformationThread (http://msdn.microsoft.com/en-us/library/windows/hardware/ff567101(v=vs.85).aspx)
Title: Re: Still some undocumented APIs
Post by: Gunther on January 13, 2013, 11:33:35 PM
Andy,

qWord is right: which undocumented API function is of special interest. On the other hand, be careful with that undocumented features, because things can rapidly change - silently.

Gunther
Title: Re: Still some undocumented APIs
Post by: Magnum on January 14, 2013, 12:58:55 AM
qWord,

No need to worry.

It's a small anti debug, anti-reverse method.

Gunthur,

There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony
Title: Re: Still some undocumented APIs
Post by: Gunther on January 14, 2013, 02:44:51 AM
Hi Andy,

Quote from: Magnum on January 14, 2013, 12:58:55 AM
There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony

I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Gunther
Title: Re: Still some undocumented APIs
Post by: jj2007 on January 14, 2013, 04:01:31 AM
Quote from: qWord on January 13, 2013, 09:11:40 PM
Any deeper meaning in this post?

ZwSetInformationThread (http://msdn.microsoft.com/en-us/library/windows/hardware/ff567101(v=vs.85).aspx)

Indeed. Zw/NtSetInformationThread is documented - many of the "mysterious undocumented" functions have been put online by M$ with the Win7 SDK.
Title: Re: Still some undocumented APIs
Post by: qWord on January 14, 2013, 04:16:05 AM
Quote from: jj2007 on January 14, 2013, 04:01:31 AMZw/NtSetInformationThread is documented
as the link shows  :t
Many of the Nt* function was also documented prior the Win7 SDK in the WinDDK.
Title: Re: Still some undocumented APIs
Post by: dedndave on January 14, 2013, 04:50:44 AM
QuoteCalling a ZwXxx routine from user mode is not supported; instead, native applications (applications
that bypass the Microsoft Win32 subsystem) should call the NtXxx equivalent of the ZwXxx routine.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx (http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx)

so, in effect, they have documented a number of NtXxx calls   :P

http://msdn.microsoft.com/en-us/library/windows/hardware/ff557720%28v=vs.85%29.aspx (http://msdn.microsoft.com/en-us/library/windows/hardware/ff557720%28v=vs.85%29.aspx)

i count 71 ZwXxx and 100 NtXxx functions
Title: Re: Still some undocumented APIs
Post by: Magnum on January 14, 2013, 06:52:42 AM
I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Sure they can change them, they can even change others too.

Did you go to the other link ?

Late development. My daughter, Cherise just found $300 in a DVD case.  :biggrin:

I try to think positive about things.

I am not scared of using the undocumented APIs.

If you always play it safe, you miss out on a lot of fun and interesting things in life.

Take care,
                  Andy

Christians, unlike Plato, believed that matter is good, since God created it, so to study matter is good.

Text only | Text with Images