View My Stats

Wednesday, June 25, 2014

Monitoring Thread Injection

A lot of malware inject threads into other process to bypass Security Products.
Usually malwares write the the shellcode into remote process using WriteProcessMemory() and then start threads using CreateRemoteThread() . A lot of source codes are available over internet about this.
Let’s see how we can monitor thread injection using kernel mode driver. A lot of AV products use this method. So I won’t get into much details.
Windows has a API PsSetCreateThreadNotify that can be used by Kernel mode drivers. It provides a callback function that can be invoked whenever a thread is created.
Please refer to MSDN for further details.
It can be used as follows:
PsSetCreateThreadNotifyRoutine(RemoteThreadDetect);   //registers notification routine
Now a part of RemoteThreadDetec reoutine:
VOID RemoteThreadDetect (IN HANDLE RemotePid, IN HANDLE ThreadId, IN BOOLEAN  flag) 
currproc = PsGetCurrentProcessId();  //gets current process ID
if (currproc != RemotePid)//check if current pid and pid passed in the function are same
    DbgPrint("thread injection detected"
CurrentProcessId() gets the ID of the current process in whose context thread creation is called.
The logic is really simple. If the CurrProc and RemotePid are not same means the thread has been injected.
I am not publishing the code as it’s too easy and similar codes can be found in internet