2023-08-29 19:36:58 +02:00
|
|
|
#ifndef THREAD_H
|
|
|
|
|
#define THREAD_H
|
|
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
|
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
#include "common.h"
|
2023-08-29 19:36:58 +02:00
|
|
|
|
2023-08-30 13:15:57 +02:00
|
|
|
typedef struct _HIDDEN_SYSTEM_THREAD_REPORT
|
|
|
|
|
{
|
2023-12-13 05:06:27 +01:00
|
|
|
INT report_code;
|
|
|
|
|
INT found_in_kthreadlist;
|
|
|
|
|
INT found_in_pspcidtable;
|
|
|
|
|
UINT64 thread_address;
|
|
|
|
|
LONG thread_id;
|
|
|
|
|
CHAR thread[4096];
|
2023-08-30 13:15:57 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
} HIDDEN_SYSTEM_THREAD_REPORT, *PHIDDEN_SYSTEM_THREAD_REPORT;
|
2023-08-30 13:15:57 +02:00
|
|
|
|
2023-09-02 10:54:04 +02:00
|
|
|
typedef struct _ATTACH_PROCESS_REPORT
|
|
|
|
|
{
|
2023-12-13 05:06:27 +01:00
|
|
|
INT report_code;
|
|
|
|
|
UINT32 thread_id;
|
|
|
|
|
UINT64 thread_address;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
} ATTACH_PROCESS_REPORT, *PATTACH_PROCESS_REPORT;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-11-09 08:30:59 +01:00
|
|
|
ValidateKPCRBThreads();
|
2023-09-02 15:47:15 +02:00
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-09-27 06:22:14 +02:00
|
|
|
DetectThreadsAttachedToProtectedProcess();
|
2023-09-02 15:47:15 +02:00
|
|
|
|
2023-08-29 19:36:58 +02:00
|
|
|
#endif
|
