Achilles' heel of SSDT Hook ThreadFromDebugger

[qq928880189]

This hook is completely disabled for targets that can only be attached Because the target executes the ThreadFromDebugger flag at the beginning of the program It crashes when the target is debugged in an additional way Can you set it to remove the ThreadFromDebugger flag as an add-on so that it can be debuggable

[Mattiwatti]

It is probably possible to do this in TitanHide upon receiving the initial 'hide from debugger' command, by iterating over all threads in the process and clearing PS_CROSS_THREAD_FLAGS_HIDEFROMDBG from each thread's CrossThreadFlags in ETHREAD. I am kind of reluctant to do this however, because it would mean having to find the offset of CrossThreadFlags for the currently running kernel version. This is definitely possible, but to do this reliably would require a lot more code than I think this feature is worth.

Question: why can't you do the following?

1. CreateProcess(nullptr, CommandLine, ..., CREATE_SUSPENDED, ...);
2. Run TitanHide and give it the newly created PID.
3. Attach your debugger.
4. Resume process.
5. Prevent any threads created in the process from being hidden from the debugger. TitanHide already takes care of the NtSetInformationThread way to do this.

Admittedly (and this is a separate issue) TitanHide could be improved by adding an NtCreateThreadEx hook, since that is an alternative method of hiding a thread without having to call NtSetInformationThread. ScyllaHide does hook NtCreateThreadEx, so you may want to look into that.

[Mattiwatti]

This has been fixed in 7252fc5.