KWorld is a kernel driver for removing the anti-debugging technique ThreadHideFromDebugger from processes.
Demo.mp4
More reverse engineering at https://www.colinsenner.com/blog.
- Windows 11 Pro, 64-bit (Build 22631.3155) 10.0.22631 (Fully-patched 2/19/2024)
- VMWare Workstation 17 Pro (17.5.0 build-22583795)
ThreadHideFromDebugger is a technique used by malware to hide from debuggers. It works by calling NtSetInformationThread with an undocumented argument ThreadHideFromDebugger (0x11) information class. This causes the thread to be hidden from debuggers. This makes the process crash immediately because the debugger is unable to handle the exception.
KWorld goes through all threads in the process and removes the ThreadHideFromDebugger flag from each thread. This allows the process to be debugged without crashing.
KWorld comes with the following projects
- KmdWorld - Kernel driver (C)
- KThreadUnhide - User-mode application (C# WPF .NET 8.0)
- KThreadUnhideCLI - Console user-mode application (C++)
- NoBreakpointsAllowed - Test application (C++)
You can run NoBreakpointsAllowed.exe and attempt to attach a debugger to it (It calls Kernel32!Sleep once per second). Then run .\KThreadUnhideCLI.exe <pid> and attempt to attach a debugger to NoBreakpointsAllowed.exe again. You will see that the process does not crash and you can debug it.
You can run DebugView from SysInternals to see the all debug output from the KmdWorld driver.
Since offsets in the _ETHREAD and _EPROCESS structures can differ between Windows versions, I lookup the offsets once at runtime. We need to find the offset of the ThreadHideFromDebugger flag in the _ETHREAD structure. I do this by finding the function PsIsThreadTerminating in ntoskrnl.exe. The first instruction of this function is
Where 560h is the offset of the CrossThreadFlags in the _ETHREAD structure. Bit 3 of CrossThreadFlags is the HideFromDebugger flag.
