News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Still some undocumented APIs

Started by Magnum, January 13, 2013, 01:49:03 PM

Previous topic - Next topic

Magnum


; Use of the still undocumented NtSetInformationThread.
02 ;
03 .386
04 .model  flat,stdcall
05 option  casemap:none
06 include \masm32\include\windows.inc
07 include \masm32\include\user32.inc
08 include \masm32\include\kernel32.inc
09 include \masm32\include\advapi32.inc
10 include \masm32\include\ntdll.inc
11 include \masm32\macros\macros.asm
12 includelib  \masm32\lib\kernel32.lib
13 includelib  \masm32\lib\user32.lib
14 includelib  \masm32\lib\advapi32.lib
15 includelib  \masm32\lib\ntdll.lib
16 .data
17 Failed  db   "Busted.",0
18 Sample  db   " ",0
19 .code
20 start:
21 ; When the function is called, the thread will continue to
22 ; run but a debugger will no longer receive any events
23 ; related to that thread.  Among the missing events are that
24 ; the process has terminated, if the main thread is the
25 ; hidden one.  This technique is used by
26 ; HyperUnpackMe2, among others.
27 invoke NtSetInformationThread,-2,11h,NULL,NULL ; as of Saturday, January 12, 2013, STILL undocumented
28 ; Details at <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtSetInformationThread.html" class="bbc_url" title="External link" rel="nofollow external">http://undocumented....tionThread.html</a>
29 ;thread detached if debugged
30 ;invoke MessageBox, 0, ADDR Failed, ADDR Sample,MB_ICONINFORMATION
31                    
32 invoke ExitProcess,0
33 end  start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

qWord

MREAL macros - when you need floating point arithmetic while assembling!

Gunther

Andy,

qWord is right: which undocumented API function is of special interest. On the other hand, be careful with that undocumented features, because things can rapidly change - silently.

Gunther
You have to know the facts before you can distort them.

Magnum

qWord,

No need to worry.

It's a small anti debug, anti-reverse method.

Gunthur,

There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Gunther

Hi Andy,

Quote from: Magnum on January 14, 2013, 12:58:55 AM
There are some undocumented APIs that have been around for quite a while, so it's probably safe to use them in certain situations.

You can find them here.

http://undocumented.ntinternals.net

This may be of interest.

http://www.pcpro.co.uk/news/101947/microsoft-used-undocumented-windows-apis-iowa-testimony

I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Gunther
You have to know the facts before you can distort them.

jj2007

Quote from: qWord on January 13, 2013, 09:11:40 PM
Any deeper meaning in this post?

ZwSetInformationThread

Indeed. Zw/NtSetInformationThread is documented - many of the "mysterious undocumented" functions have been put online by M$ with the Win7 SDK.

qWord

Quote from: jj2007 on January 14, 2013, 04:01:31 AMZw/NtSetInformationThread is documented
as the link shows  :t
Many of the Nt* function was also documented prior the Win7 SDK in the WinDDK.
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

QuoteCalling a ZwXxx routine from user mode is not supported; instead, native applications (applications
that bypass the Microsoft Win32 subsystem) should call the NtXxx equivalent of the ZwXxx routine.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx

so, in effect, they have documented a number of NtXxx calls   :P

http://msdn.microsoft.com/en-us/library/windows/hardware/ff557720%28v=vs.85%29.aspx

i count 71 ZwXxx and 100 NtXxx functions

Magnum

I know that sites. The point is: that were never official statements from MS. They can change that whenever they want. You may use such stuff too, but you are on the safer side by using official documented API functions.

Sure they can change them, they can even change others too.

Did you go to the other link ?

Late development. My daughter, Cherise just found $300 in a DVD case.  :biggrin:

I try to think positive about things.

I am not scared of using the undocumented APIs.

If you always play it safe, you miss out on a lot of fun and interesting things in life.

Take care,
                  Andy

Christians, unlike Plato, believed that matter is good, since God created it, so to study matter is good.

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org