cuckoomon-modified icon indicating copy to clipboard operation
cuckoomon-modified copied to clipboard
verified publisher icon brad-sp

NtOpenThread and NtQueueApcThread unable to log ProcessId and ThreadId

Open MerX1030 opened this issue 10 years ago • 2 comments

Sample for your reference: http://cuckoo.killerinstinct.me/analysis/283/

The process in question is mqaqEuYFGpUxPKE.exe (PID: 352) Issue found in Windows 7. Logging works fine for Windows XP. Thanks!

MerX1030 avatar May 25 '15 15:05 MerX1030

This must be due to being unable to duplicate the handle of the thread that was opened (as we use that to obtain pid/tid information, otherwise we'd have to maintain our own metadata based on the handle) -- I'll debug it further when I have some time.

brad-sp avatar May 27 '15 18:05 brad-sp

Suspected that as well. Will work with Windows XP for the mean time. Thanks!

MerX1030 avatar May 27 '15 18:05 MerX1030