Originally Posted by
norox
Hi,
Anyone knows if a kernel object "thread" obtained with NtQuerySystemInformation is it possible to find out who have created that object in memory
or lets say, is it possible within a certain process lets say cmd.exe all the "thread" objects listed to identify which was not created by the process cmd.exe ??
Note: I'm looking into identify an object that was created by a foreign process into the current process. Also I'm trying to understand if objects like "Event" "Mutex" activity increases in the event of an foreign process changes the normal behavior of a certain process .
Thanks in advance
Regards