NtQueryInformationThread

Prototype

NTSTATUS NtQueryInformationThread(
  HANDLE          ThreadHandle,
  THREADINFOCLASS ThreadInformationClass,
  PVOID           ThreadInformation,
  ULONG           ThreadInformationLength,
  PULONG          ReturnLength
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 25 00 00 00      mov eax, 0x25
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

SSN `0x25` since Windows 10 1507 — a remarkably stable anchor. Two classes dominate offensive use. ThreadBasicInformation (0) returns a `THREAD_BASIC_INFORMATION` whose `TebBaseAddress` field exposes the target thread's TEB, which is the canonical way to derive PEB / module lists when GS-relative reads are not desirable (e.g. when EAF — Export Address Filter — is enabled in the target). ThreadHideFromDebugger (17) returns a single BYTE indicating whether the hide bit is set; that read-back is the heart of the *anti-anti-debug check* — if your hide flag is mysteriously cleared, an EDR or analyst tool stripped it. ThreadIsTerminated (14) is used in sleep-mask loops to wake early if the parent commands shutdown.

Common malware usage

Five practical recipes. (1) EAF bypass: read the TEB via ThreadBasicInformation instead of `gs:[0x30]`, which avoids triggering the hardware breakpoint Microsoft's EAF mitigation places on PEB access. (2) Anti-anti-debug: set ThreadHideFromDebugger, then immediately query it back — if the read-back is 0, an instrumented ntdll is silently swallowing the set. (3) Sleep-mask wake check: poll ThreadIsTerminated on a sister thread to coordinate teardown without an event object. (4) ThreadStartAddress probe (NtQueryInformationThread class 9) to walk other threads and pick injection targets that look like legitimate work threads (RPC, RuntimeBroker). (5) Walk EPROCESS via TEB → PEB → LDR for module enumeration without touching kernel32!GetModuleHandle.

Detection opportunities

There is no per-call ETW signal for queries (unlike NtSetInformationThread setting ThreadHideFromDebugger, which is logged). Detection has to focus on side effects: enumerations that touch every thread in remote processes, or sequences of NtSetInformationThread(17) followed *immediately* by NtQueryInformationThread(17) on the same handle within microseconds — that's the anti-anti-debug pattern. Defender's Network Protection / Attack Surface Reduction rules do not cover this; the cleanest signal is at-the-edge EDR hooks on ntdll!NtQueryInformationThread filtered by ThreadInformationClass == 0 or == 0x11 from non-system-DLL callers.

Direct syscall examples

// Set the hide flag, then query it back. If the readback returns 0,
// an EDR or analysis tool is silently neutralizing NtSetInformationThread —
// strong signal we're being analyzed.
typedef NTSTATUS(NTAPI* fnSet)(HANDLE, ULONG, PVOID, ULONG);
typedef NTSTATUS(NTAPI* fnQuery)(HANDLE, ULONG, PVOID, ULONG, PULONG);

BOOL HideFlagSurvived(void) {
    HMODULE n = GetModuleHandleA("ntdll.dll");
    fnSet pSet = (fnSet)GetProcAddress(n, "NtSetInformationThread");
    fnQuery pQuery = (fnQuery)GetProcAddress(n, "NtQueryInformationThread");
    pSet((HANDLE)-2, 0x11 /* ThreadHideFromDebugger */, NULL, 0);
    BOOLEAN hidden = FALSE;
    ULONG  rl = 0;
    pQuery((HANDLE)-2, 0x11, &hidden, sizeof(hidden), &rl);
    return hidden != 0;
}

; SSN 0x25 across all modern builds.
NtQueryInformationThread PROC
    mov  r10, rcx
    mov  eax, 25h
    syscall
    ret
NtQueryInformationThread ENDP

// Cargo: windows-sys = "0.59"
use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};

#[repr(C)]
struct ThreadBasicInformation {
    exit_status: i32,
    teb_base_address: *mut u8,
    client_id: [usize; 2],
    affinity_mask: usize,
    priority: i32,
    base_priority: i32,
}

type NtQueryInformationThread = unsafe extern "system" fn(
    thread: isize, class: u32, info: *mut u8, len: u32, ret_len: *mut u32,
) -> i32;

pub unsafe fn get_self_teb() -> Option<*mut u8> {
    let n = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let addr = GetProcAddress(n, b"NtQueryInformationThread\0".as_ptr())?;
    let f: NtQueryInformationThread = std::mem::transmute(addr);
    let mut tbi = ThreadBasicInformation {
        exit_status: 0, teb_base_address: core::ptr::null_mut(),
        client_id: [0; 2], affinity_mask: 0, priority: 0, base_priority: 0,
    };
    let mut rl = 0u32;
    if f(-2, 0 /* ThreadBasicInformation */, &mut tbi as *mut _ as *mut u8,
         core::mem::size_of::<ThreadBasicInformation>() as u32, &mut rl) == 0 {
        Some(tbi.teb_base_address)
    } else { None }
}

MITRE ATT&CK mappings

• T1622Debugger Evasionmitre ↗
• T1057Process Discoverymitre ↗
• T1106Native APImitre ↗