Suspending Kernel Mode Threads...

[omidgl]

Hi.

I know windows driver model (programming).
I know how to suspend user-mode threads.
Can anyone help me about suspending kernel-mode threads.

Thanks

Hello,

Try ZwSuspendThread / ZwResumeThread (Kernel mode Counterpart of SuspendThread & ResumeThread).

I don't know if it will works on Kernel mode thread created with PsCreateSystemThread for example...

If this is one of your drivers, you should use Kernel events (as user-mode events) :

KeSetEvent and KeWaitxxx or KeWaitForSingleObject (or KeWaitForMultipleObjects).

There's also some timer routines like KeInitializeTimer(Ex) and KeSetTimer.

As usual, you should be carefull about differents IRQL required by those routines.

Hope it could help.

Regards, Neitsa.

[omidgl]

Let me describe exactly what I want.

I'm about to suspend some protection threads in XTreme protector kernel-driver, to make another Ring-0 dumper be able to dump the process memory.

Regards
OMID

are these threads spawned by the driver (PsCreateSystemThread) or by the EXE application (which, afaik, as elevated privileges and has access to some ring-0 memory pages such as the IDT & the Xprotector driver).

Perhaps you could look into patching the driver directly or hooking PsCreateSystemThread.

This snippet will lower the IRQL (not nec unless in DISPATCH_MODE or greater, but safe if you're not sure). Create an event and then wait for it (infinitely). As the event never gets triggered, the thread will never run again *sniff ;(, poor thread*. If you do want it to run at a later time, simply trigger the event.

LARGE_INTEGER TotalTime = {0,0};
KeLowerIrql(0);
KeInitializeEvent(&NonEvent, NotificationEvent, FALSE);
status = KeWaitForSingleObject(
&NonEvent,
Executive, //Suspended,
KernelMode,
TRUE,
&TotalTime
);

Hope this helps, WCFF

[pp2]

You can try to use "rootkit" technics and remove thread from scheduler list (see recent articles at rootkit.com how to do it). If you control scheduler you decide whether system thread is runnable or not now. Anyway suspending some system threads maybe extremely dangerous and cause immediate exception (and BSOD also), so you should check thread's IRQL.

look here http://www.security.org.sg/code/sdtrestore.html

Quote:

Originally Posted by hksonngan

look here http://www.security.org.sg/code/sdtrestore.html

Look here too:
http://www.rootkit.com/newsread.php?newsid=200

Regards,
Opcode

Quote:

Originally Posted by omidgl

Hi.
I know windows driver model (programming).
I know how to suspend user-mode threads.
Can anyone help me about suspending kernel-mode threads.
Thanks

In kernel mode you can create a thread by calling "PsCreateSystemThread" API and then you can suspend it by calling "KeWaitForSingleObject" API .Find more in Microsoft Development Kit (DDK) .
Goodluck

[omidgl]

I don't want to suspend current thread, It's all about to suspend other driver threads so KeWaitForSingleObject can't do anything about it.

If you know the KTHREAD address of those system threads, just
remove it from the internal kernel thread lists like
KiDispatcherReadyListHead and KiWaitListHead.
If you make this, the kernel thread will not get any CPU time

Take a look in the klister source code at www.rootkit.com
and this paper:
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski.pdf

Regards,
Opc0de