Is NtSetInformationThread safe to use?

Question

I am attempting to implement some very basic debugger protection to prevent kids from using easy tricks to reverse engineer my software. While these simple measures are easy to bypass, they will at least keep out the uninformed. The following code is from a tutorial online, and I wanted to ask for your opinions as to whether this is safe to use in production code? I am hesitant because of the fact that this function is undocumented by Microsoft and thus may or may not change completely from one version of Windows to another. The last thing I want is for my application to begin crashing on Windows 8, 9, etc because the function signature is wrong.

The code is as follows:

// HideThread will attempt to use
// NtSetInformationThread to hide a thread
// from the debugger, Passing NULL for
// hThread will cause the function to hide the thread
// the function is running in. Also, the function returns
// false on failure and true on success
inline bool HideThread(HANDLE hThread)
{
typedef NTSTATUS (NTAPI *pNtSetInformationThread)
            (HANDLE, UINT, PVOID, ULONG);
NTSTATUS Status;

// Get NtSetInformationThread
pNtSetInformationThread NtSIT = (pNtSetInformationThread)
    GetProcAddress(GetModuleHandle( TEXT("ntdll.dll") ),
    "NtSetInformationThread");

// Shouldn't fail
if (NtSIT == NULL)
    return false;

// Set the thread info
if (hThread == NULL)
    Status = NtSIT(GetCurrentThread(),
            0x11, // HideThreadFromDebugger
            0, 0);
else
    Status = NtSIT(hThread, 0x11, 0, 0);

if (Status != 0x00000000)
    return false;
else
    return true;
}

Is this safe to use?

Kind regards,

Philip Bennefall

Answer 1

If it is undocumented then it is, by definition unsafe to use, as it can be removed/modified at any time without warning.

That said, there are certain undocumented features in most systems that are so widely known and used that nobody in their right minds would dare change it, and thus would be pretty safe to use.

In your particular case, just googling around it is documented here. It is just not an ordinary API, but rather a driver support routine. So it should be reasonably stable. I mean, it might disappear in a future version of Windows, should the driver model change, but as long as it exists it will likely be as it is now.

Answer 2

NtSetInformationXxx and NtQueryInformationXXX might be undocumented but as previously stated are so widely used, and there is a lot of code which relies on them that it is unlikely they will undergo a major change which will break them in such a way. As far as documentation for them - there is this which documents a lot of the "undocumented" APIs. Furthermore, since you are tinkering with anti-debugging techniques I'd like to point your attention to this paper which gives a very good overview of the possible anti-debugging techniques and their countermeasure by hackers

Answer 3

As far as I can see, the NtSetInformationThread function is now (indirectly) documented on MSDN since it uses ZwSetInformationThread. It is thus safe to use it. Can someone confirm this, or are there other reasons to tag this function as "undocumented" and thus unsafe to use?