When I develop the system extension tool, I need to subscribe to the remote thread creation event. When the remote thread injection is triggered, I want to get the id, module name and starting function name of the remote thread. How can I get this information from es_event_remote_thread_create_t? If I can't get this information from es_event_remote_thread_create_t, is there any other way to get it?
When I develop the system extension tool, I need to subscribe to the remote thread creation event. When the remote thread injection is triggered, I want to get the id, module name and starting function name of the remote thread.
So, the issue here is that those constructs come from the dynamic library structure and the symbolication system. They aren't fundamental to execution process and don't necessarily "exist" at all. Notably in the case where an attacker is actually exploiting remote thread execution they'll often have injected executable data directly into the target process, not loaded from a specific library.
How can I get this information from es_event_remote_thread_create_t?
You can't, there is insufficient information to do so.
If I can't get this information from es_event_remote_thread_create_t, is there any other way to get it?
No. Functionally, what you're asking is equivalent to symbolicating an arbitrary address in another process. That's theoretically possible, however:
-
You don't have the address or any straightforward way to get it.
-
This is a "notify" event, which means the moment has already "passed" by time you find out about it.
In other words, #2 means that even if you could capture the process state at the point you receive the event, there's no guarantee the target thread even exists, much less shows what you want to know.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware