NtOpenThread and NtQueueApcThread unable to log ProcessId and ThreadId

brad-sp / cuckoomon-modified

Modified edition of cuckoomon

GNU General Public License v3.0

23 stars 15 forks source link

NtOpenThread and NtQueueApcThread unable to log ProcessId and ThreadId #15

Open MerX1030 opened 9 years ago

MerX1030 commented 9 years ago

Sample for your reference: http://cuckoo.killerinstinct.me/analysis/283/

The process in question is mqaqEuYFGpUxPKE.exe (PID: 352) Issue found in Windows 7. Logging works fine for Windows XP. Thanks!

brad-sp commented 9 years ago

This must be due to being unable to duplicate the handle of the thread that was opened (as we use that to obtain pid/tid information, otherwise we'd have to maintain our own metadata based on the handle) -- I'll debug it further when I have some time.

MerX1030 commented 9 years ago

Suspected that as well. Will work with Windows XP for the mean time. Thanks!