Is NtSetInformationThread safe to use?

Question

I am attempting to implement some very basic debugger protection to prevent kids from using easy tricks to reverse engineer my software. While these simple measures are easy to bypass, they will at least keep out the uninformed. The following code is from a tutorial online, and I wanted to ask for your opinions as to whether this is safe to use in production code? I am hesitant because of the fact that this function is undocumented by Microsoft and thus may or may not change completely from one version of Windows to another. The last thing I want is for my application to begin crashing on Windows 8, 9, etc because the function signature is wrong.

The code is as follows:

// HideThread will attempt to use
// NtSetInformationThread to hide a thread
// from the debugger, Passing NULL for
// hThread will cause the function to hide the thread
// the function is running in. Also, the function returns
// false on failure and true on success
inline bool HideThread(HANDLE hThread)
{
typedef NTSTATUS (NTAPI *pNtSetInformationThread)
            (HANDLE, UINT, PVOID, ULONG);
NTSTATUS Status;

// Get NtSetInformationThread
pNtSetInformationThread NtSIT = (pNtSetInformationThread)
    GetProcAddress(GetModuleHandle( TEXT("ntdll.dll") ),
    "NtSetInformationThread");

// Shouldn't fail
if (NtSIT == NULL)
    return false;

// Set the thread info
if (hThread == NULL)
    Status = NtSIT(GetCurrentThread(),
            0x11, // HideThreadFromDebugger
            0, 0);
else
    Status = NtSIT(hThread, 0x11, 0, 0);

if (Status != 0x00000000)
    return false;
else
    return true;
}

Is this safe to use?

Kind regards,

Philip Bennefall

You've asked 14 questions but never voted on anything or accepted an answer to one of your questions. Right now you're only taking from the community & not contributing to it. — John Dibling, Nov 15 '11 at 21:57
I have been trying to figure out how to accept answers and how to vote ever since I joined. I am blind, and thus I use a screen reader to interpret the screen content. This program has trouble with certain dynamic web pages, of which Stack Overflow is one example. I can see the up vote text, but it is not clickable for me (it just shows up as normal static text). I very much apologize for this. — Philip Bennefall, Nov 15 '11 at 22:13
While I agree that such comments may be a bit unnecessary, I still feel that I have a responsibility to give back to this type of community that has proven invaluable in the past. I will try to see if the screen reader has some command that I don't know about to do these types of things. — Philip Bennefall, Nov 15 '11 at 22:46

score 4 · Accepted Answer · answered Nov 15 '11 at 22:31

If it is undocumented then it is, by definition unsafe to use, as it can be removed/modified at any time without warning.

That said, there are certain undocumented features in most systems that are so widely known and used that nobody in their right minds would dare change it, and thus would be pretty safe to use.

In your particular case, just googling around it is documented here. It is just not an ordinary API, but rather a driver support routine. So it should be reasonably stable. I mean, it might disappear in a future version of Windows, should the driver model change, but as long as it exists it will likely be as it is now.

LordDoskias · Answer 2 · 2011-11-16T09:06:08.977

3

NtSetInformationXxx and NtQueryInformationXXX might be undocumented but as previously stated are so widely used, and there is a lot of code which relies on them that it is unlikely they will undergo a major change which will break them in such a way. As far as documentation for them - there is this which documents a lot of the "undocumented" APIs. Furthermore, since you are tinkering with anti-debugging techniques I'd like to point your attention to this paper which gives a very good overview of the possible anti-debugging techniques and their countermeasure by hackers

edited Nov 16 '11 at 09:06

answered Nov 15 '11 at 22:51

LordDoskias

3,121
3
30
44

1

Thanks for the clarification. I see the link to the documentation, but I cannot find any link to the paper you refer to? I'd be very interested in reading it. – Philip Bennefall Nov 15 '11 at 23:04
I've added the document link here it is again for clarity: www.shell-storm.org/papers/files/764.pdf – LordDoskias Nov 16 '11 at 09:06
Thanks! I'll have a look at that. – Philip Bennefall Nov 16 '11 at 10:09

score 2 · Answer 3 · answered Nov 17 '11 at 08:40

As far as I can see, the NtSetInformationThread function is now (indirectly) documented on MSDN since it uses ZwSetInformationThread. It is thus safe to use it. Can someone confirm this, or are there other reasons to tag this function as "undocumented" and thus unsafe to use?

Is NtSetInformationThread safe to use?

3 Answers3