When a new process is created, it is actually created in suspended state. To start its execution, the primary thread need to be resumed. This is done by calling the NtResumeThread function on the thread.
NTSTATUS NTAPI NtResumeThread(HANDLE hThread,PULONG PreviousSuspendCount);
Because the NtResumeThread function is called when a new process is created, it is possible to monitor process creation by hooking the NtResumeThread function.
However, the parameter passed to the function is a thread handle, not process handle. In order to monitor the new process, we need the process handle.
To get the process handle, we can call the NtQueryInformationThread function on the thread to get the PID of its owner process, and then use PID to open the process handle.
With the process handle, it is possible to inject code into the new process, so the new process will get hooked as well. Any child processes created by the hooked process will be hooked too.
Here is a simple DLL that hooks the NtResumeThread function to inject itself into child processes created by the hooked process.
#include
#include
#include
#include "apihook.h"
#pragma comment(lib,"ntdll.lib")
typedef NTSTATUS (NTAPI *pNtResumeThread)(HANDLE,PULONG);
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PTEB TebBaseAddress;
CLIENT_ID ClientId;
ULONG_PTR AffinityMask;
LONG Priority;
LONG BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
EXTERN_C NTSTATUS NTAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
char szDllName[1024];
API_HOOK NRTHook;
NTSTATUS NTAPI HookNtResumeThread(HANDLE hThread,PULONG SuspendCount)
{
HANDLE hProcess;
PVOID mem;
BYTE byte;
pNtResumeThread fnNtResumeThread;
THREAD_BASIC_INFORMATION tbi;
fnNtResumeThread=(pNtResumeThread)NRTHook.OrigFunction;
if(NT_SUCCESS(NtQueryInformationThread(hThread,(THREADINFOCLASS)0,&tbi,sizeof(tbi),NULL)))
{
hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,(DWORD)tbi.ClientId.UniqueProcess);
if(hProcess)
{
if(ReadProcessMemory(hProcess,NRTHook.FunctionAddress,&byte,1,NULL))
{
if(byte==0xe9)
{
NtClose(hProcess);
return fnNtResumeThread(hThread,SuspendCount);
}
}
mem=VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
if(mem)
{
WriteProcessMemory(hProcess,mem,szDllName,strlen(szDllName),NULL);
QueueUserAPC((PAPCFUNC)LoadLibraryA,hThread,(ULONG_PTR)mem);
}
NtClose(hProcess);
}
}
return fnNtResumeThread(hThread,SuspendCount);
}
BOOL WINAPI DllMain(HMODULE hModule,DWORD dwReason,LPVOID lpReserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
GetModuleFileName(hModule,szDllName,1024);
InitAPIHook(&NRTHook,"ntdll.dll","NtResumeThread",HookNtResumeThread);
StartAPIHook(&NRTHook);
break;
case DLL_PROCESS_DETACH:
UnhookAPIHook(&NRTHook);
RemoveAPIHook(&NRTHook);
break;
}
return TRUE;
}