Author Topic: Still some undocumented APIs  (Read 6686 times)

Magnum

  • Member
  • *****
  • Posts: 2367
Still some undocumented APIs
« on: January 13, 2013, 01:49:03 PM »
Code: [Select]
; Use of the still undocumented NtSetInformationThread.
02 ;
03 .386
04 .model  flat,stdcall
05 option  casemap:none
06 include \masm32\include\windows.inc
07 include \masm32\include\user32.inc
08 include \masm32\include\kernel32.inc
09 include \masm32\include\advapi32.inc
10 include \masm32\include\ntdll.inc
11 include \masm32\macros\macros.asm
12 includelib  \masm32\lib\kernel32.lib
13 includelib  \masm32\lib\user32.lib
14 includelib  \masm32\lib\advapi32.lib
15 includelib  \masm32\lib\ntdll.lib
16 .data
17 Failed  db   "Busted.",0
18 Sample  db   " ",0
19 .code
20 start:
21 ; When the function is called, the thread will continue to
22 ; run but a debugger will no longer receive any events
23 ; related to that thread.  Among the missing events are that
24 ; the process has terminated, if the main thread is the
25 ; hidden one.  This technique is used by
26 ; HyperUnpackMe2, among others.
27 invoke NtSetInformationThread,-2,11h,NULL,NULL ; as of Saturday, January 12, 2013, STILL undocumented
28 ; Details at <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtSetInformationThread.html" class="bbc_url" title="External link" rel="nofollow external">http://undocumented....tionThread.html</a>
29 ;thread detached if debugged
30 ;invoke MessageBox, 0, ADDR Failed, ADDR Sample,MB_ICONINFORMATION
31                    
32 invoke ExitProcess,0
33 end  start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: Still some undocumented APIs
« Reply #1 on: January 13, 2013, 09:11:40 PM »
Any deeper meaning in this post?

ZwSetInformationThread
MREAL macros - when you need floating point arithmetic while assembling!

Gunther

  • Member
  • *****
  • Posts: 4090
  • Forgive your enemies, but never forget their names
Re: Still some undocumented APIs
« Reply #2 on: January 13, 2013, 11:33:35 PM »
Andy,

qWord is right: which undocumented API function is of special interest. On the other hand, be careful with that undocumented features, because things can rapidly change - silently.

Gunther
Get your facts first, and then you can distort them.

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Still some undocumented APIs
« Reply #3 on: January 14, 2013, 12:58:55 AM »
qWord,

No need to worry.

It's a small anti debug, anti-reverse method.

Gunthur,

There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

  • Member
  • *****
  • Posts: 4090
  • Forgive your enemies, but never forget their names
Re: Still some undocumented APIs
« Reply #4 on: January 14, 2013, 02:44:51 AM »
Hi Andy,

There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony

I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Gunther
Get your facts first, and then you can distort them.

jj2007

  • Member
  • *****
  • Posts: 13030
  • Assembler is fun ;-)
    • MasmBasic
Re: Still some undocumented APIs
« Reply #5 on: January 14, 2013, 04:01:31 AM »
Any deeper meaning in this post?

ZwSetInformationThread

Indeed. Zw/NtSetInformationThread is documented - many of the "mysterious undocumented" functions have been put online by M$ with the Win7 SDK.

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: Still some undocumented APIs
« Reply #6 on: January 14, 2013, 04:16:05 AM »
Zw/NtSetInformationThread is documented
as the link shows  :t
Many of the Nt* function was also documented prior the Win7 SDK in the WinDDK.
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Still some undocumented APIs
« Reply #7 on: January 14, 2013, 04:50:44 AM »
Quote
Calling a ZwXxx routine from user mode is not supported; instead, native applications (applications
that bypass the Microsoft Win32 subsystem) should call the NtXxx equivalent of the ZwXxx routine.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx

so, in effect, they have documented a number of NtXxx calls   :P

http://msdn.microsoft.com/en-us/library/windows/hardware/ff557720%28v=vs.85%29.aspx

i count 71 ZwXxx and 100 NtXxx functions

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Still some undocumented APIs
« Reply #8 on: January 14, 2013, 06:52:42 AM »
I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Sure they can change them, they can even change others too.

Did you go to the other link ?

Late development. My daughter, Cherise just found $300 in a DVD case.  :biggrin:

I try to think positive about things.

I am not scared of using the undocumented APIs.

If you always play it safe, you miss out on a lot of fun and interesting things in life.

Take care,
                  Andy

Christians, unlike Plato, believed that matter is good, since God created it, so to study matter is good.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org