Skip to content
/ NThread Public

Stealthy x64 thread manipulation library for calling functions inside target processes without creating remote threads or installing hooks.

License

MIT license
45 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

woldann/NThread

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
include
include
 
 
modulerules
modulerules
 
 
src
src
 
 
tests
tests
 
 
.clang-format
.clang-format
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 

Repository files navigation

NThread

NThread is a powerful, x64-focused thread manipulation library designed to safely call functions inside target processes by leveraging their existing threads.

⚙️ Built for stealth, flexibility, and reliability — no injections, no hooks, just pure thread register control.

✨ Features

  • x64 Architecture Focused — Designed specifically for x64 systems, currently supporting Windows x64.
  • 🛡️ Stealthy Operation — Avoids common AV/EDR triggers by using no remote memory allocation or shellcode.
  • 🔄 Reversible Hijacking — Temporarily controls target threads and restores them perfectly after use.
  • 🔗 Thread-Local Storage (TLS) or Equivalent — Maps your control threads safely to target threads for smooth multi-thread management.
  • ⚙️ Flexible & Reliable — Uses standard libc functions within the target process and supports advanced code reuse techniques.

🚫 Code Injection? Not Needed.

NThread does not rely on traditional code injection (e.g. shellcode, VirtualAllocEx, CreateRemoteThread, etc.).
Instead, it uses pre-existing threads and simple instruction sequences already present in most executables.

If the target process already contains the following instruction pattern:

0x7f0000 0x55          push rbp
0x7f0001 0xC3          ret

0x7f0050 0xEB 0xFE     jmp $

You can locate such an address and use it directly with ntu_attach:

ntu_attach(tid, existing_push_addr=0x7f0000, existing_jmp_addr=0x7f0050);

Alternatively, as demonstrated in tests/inject.c you can allocate this code into the target process yourself:

int8_t push_sleep[] = { 0x55, 0xC3, 0xEB, 0xFE };

// Allocate memory in target process and write code
void *push_sleep_addr = VirtualAllocEx(...);
WriteProcessMemory(..., push_sleep_addr, push_sleep, sizeof(push_sleep));

// Initialize NThread with known valid instructions
ntu_attach(tid, push_sleep_addr, push_sleep_addr + 2);

TODO

  • nttunnel

    • Separate the currently intertwined fschan and nttunnel functions
      to create a more modular, channel-based architecture.
    • Enable adding different types of channels.

  • ntutils

    • Improve the init function to allow
      • More flexible and parameterized configurations.
      • Advanced initialization options.

  • Linux support

    • Consider developing a kernel module-based method for Linux.

About

Stealthy x64 thread manipulation library for calling functions inside target processes without creating remote threads or installing hooks.

Topics

windows linux library modular minimal x64 reverse-engineering malware hacking cybersecurity game-hacking rop silent dll-hijacking hacking-tools dllinjector thread-hijacking injector-x64

Resources

Readme

License

MIT license
Activity

Stars

45 stars

Watchers

3 watching

Forks

6 forks
Report repository

Languages