malwarelab / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

Combine OrphanThreads and SSDT_By_Threads plugins #16

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Combine the two plugins to create a single plugin that marks suspicious threads 
based on:

1) orphaned threads per the usual 
2) threads with hooked ssdts per the usual
3) threads in idle process with tid != 0 
4) anything else?

Original issue reported on code.google.com by michael.hale@gmail.com on 3 Apr 2011 at 5:52

GoogleCodeExporter commented 9 years ago
4) show module for starting address
5) show module for current address
6) threads with TID == 0 now owned by idle (PID == 0)

Original comment by michael.hale@gmail.com on 4 Apr 2011 at 4:31

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r57.

Original comment by michael.hale@gmail.com on 26 Apr 2011 at 2:03