Skip to content

Commit

Permalink
Do not attempt to hook NtSetContextThread if the call is coming from …
Browse files Browse the repository at this point in the history 
…kernel mode

*Zw*Get/SetContextThread behaves very differently from *Nt*Get/SetContextThread; e.g. calling ZwSetContextThread will modify a thread's kernel trap frame rather than the user mode CONTEXT structure that the Nt syscall expects. Modifying the KTRAP_FRAME is a good way to kill a thread and probably the rest of the OS with it
  • Loading branch information
@Mattiwatti @mrexodia
Mattiwatti authored and mrexodia committed Sep 2, 2018
1 parent 3bb2af0 commit fdf6022
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion TitanHide/hooks.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,8 @@ static NTSTATUS NTAPI HookNtSetContextThread(
IN PCONTEXT Context)
{
ULONG pid = (ULONG)PsGetCurrentProcessId();
bool IsHidden = Hider::IsHidden(pid, HideNtSetContextThread);
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
bool IsHidden = PreviousMode != KernelMode && Hider::IsHidden(pid, HideNtSetContextThread);
ULONG OriginalContextFlags = 0;
if(IsHidden)
{
Expand Down

0 comments on commit fdf6022

Please sign in to comment.