Create Thread Notify Routine

The Windows kernel provides drivers with the ability to register a callback that will be notified when threads are created and terminated. This ability is provided through the Windows Driver Model (WDM) export nt!PsSetCreateThreadNotifyRoutine. When a thread is created or terminated, the kernel enumerates the list of registered callbacks and notifies them of the event.

Category: Type II

Origin: The ability to register a callback that is notified when threads are created and terminated has been included since the first release of the WDM.

Capabilities: Kernel-mode code execution.

Considerations: This technique is useful because a user-mode process can control the invocation of the callback by simply creating or terminating a thread. Additionally, the callback will be notified in the context of the process that is creating or terminating the thread. This makes it possible to set the callback routine to an address that resides within ntdll.dll.

Covertness: This technique is covert in that it is possible for a backdoor to blend in with any other registered callbacks. Without having a known-good state to compare against, it would be challenging to conclusively state that a registered callback is associated with a backdoor. There are some indicators that could be used that something is odd, such as if the callback routine resides in ntdll.dll or if it resides in either the paged or non-paged pool.