The ‘threads’ command returns all the running threads in the system and can be used to filter out threads that are already in an alertable state. The ‘phantom_thread’ command when combined with the ‘threads’ command can be extremely powerful to hide remote process injection traces in memory.
The ‘phantom_thread’ command uses a ROP gadget technique alongside context hijacking for alertable threads. The rop gadgets help to redirect the execution flow to originate from a legitimate region instead of directly from the RX region. However, the gadgets required for ROP, are found only in a few DLLs of windows. In case, if the required gadget is not found, then the ‘phantom_thread’ command falls back to perform hijacking of the thread, BUT without opening a handle to the target process which is still stealthier than most injection methods. This command uses indirect syscalls where required.
