A Poc attempt at hunting suspicious thread creation events using ETW only. it currently identifies
- Unbacked Thread creation calls
- Unbacked StartAddress
- JOP based StartAddress
The main reason for writing this was to see if it was possible to detect JOP/gadget based StartAddress such as a jmp rcx,
it does this by grabbing the remote modules pdata and checking if there's an entry and if the StartAddress is within that entry but not the BeginAddress.
- The unbacked checks will generate FPs within JIT applications such as .net, Java etc.
Generate:
cmake -G "Visual Studio 18 2026" -A x64 -B build
-- Selecting Windows SDK version 10.0.26100.0 to target Windows 10.0.26200.
-- The C compiler identification is MSVC 19.51.36244.0
-- The CXX compiler identification is MSVC 19.51.36244.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/Microsoft Visual Studio/18/Community/VC/Tools/MSVC/14.51.36231/bin/Hostx64/x64/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/Microsoft Visual Studio/18/Community/VC/Tools/MSVC/14.51.36231/bin/Hostx64/x64/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (11.1s)
-- Generating done (0.1s)
-- Build files have been written to: C:/Users/dev/CLionProjects/SuspiciousThreads/build
Build:
cmake --build build
MSBuild version 18.6.3+84d3e95b4 for .NET Framework
1>Checking Build System
Building Custom Rule C:/Users/dev/CLionProjects/SuspiciousThreads/CMakeLists.txt
Scanning sources for module dependencies...
util.cpp
main.cpp
Compiling...
main.cpp
util.cpp
SuspiciousThreads.vcxproj -> C:\Users\dev\CLionProjects\SuspiciousThreads\build\Debug\SuspiciousThreads.exe
Building Custom Rule C:/Users/dev/CLionProjects/SuspiciousThreads/CMakeLists.txt
