GET /api/techniques/109/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 109,
"key": "suspendthread",
"unprotect_id": "U0101, C0055",
"name": "SuspendThread",
"description": "Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the `SuspendThread` function from the kernel32.dll library or the `NtSuspendThread` function from the NTDLL.DLL library. \r\n\r\nThe malware can enumerate the threads of a given process, or search for a named window and open its owner thread, and then suspend that thread. This will prevent the debugger from running and make it more difficult to analyze the code. \r\n\r\nThis technique can be used by malware authors to evade detection and analysis, and make their code more difficult to understand.",
"resources": "https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread\nhttp://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtSuspendThread.htmlhttps://secret.club/2021/01/04/thread-stuff.html",
"creation_date": "2019-03-23T17:09:11Z",
"tags": "SuspendThread,\r\nNtSuspendThread,\r\nDebugging,\r\nAnti-debugging,\r\nThread enumeration,\r\nProcess enumeration,",
"modification_date": "2023-10-04T10:44:18.329000Z",
"category": [
3
],
"rules": [
65
],
"attachments": [],
"featured_api": [
18,
23,
26,
27,
28,
29,
30,
106,
133,
239,
245,
290,
295,
355,
412,
419
],
"contributors": []
}
