Leaderboard

Haven't we all 🙋‍♂️ 😉 - I've been making a point lately to review code and just write comments when anything is unclear (once I figure out what I was thinking).

The only self explanatory code is the trivial one. In other situations there is no such thing as self explanatory code, especially if it also needs to be performant and thread-safe. I have written tons of self explanatory code, for which now I don't know what was I smoking at the time. Sometimes, after a lot of digging I can remember why it was written like that and why it should stay that way, but mostly no. So I am not sure if it was just crappy code from the times I didn't know better, or there are valid reasons behind the awkward design choices.

Good point, but remember invoking/calling CreateThread from local thread doesn't require specific privileges but while injecting (almost always ) with CreateRemoteThreads does require security privileges. This is interesting https://github.com/stephenfewer/ReflectiveDLLInjection/pull/17 FireFox indeed tries (tried in the past i don't know the current code) to protect itself from remote injection by hooking the BaseThreadInitThunk not the RtlUserThreadStart, for the same reason that RtlUserThreadStart is not always the start point. More hmmm. Doesn't really tell me much with regard to the source of the thread. Well you are diving deeper into OS kernel, so to make sure we are on the same page first let clear the separation of the functions in the OS as whole Kernel part and kernel user part. In Windows there is 3 levels of functions, and they are named little differently, sometimes the difference is only with Nt or Zw against nothing, or completely different name encapsulating multi functionality. eg CreateThread is for RTL user mode, this will internally call NtCreateThread we still in the kernel but in the user part which is lower than user process but higher than the kernel itself (the hidden and protected one), then comes ZwCreateThread which reside in the kernel and this one is system call not system function, meaning the execution is not done by simple assembly branching instruction like JMP or CALL, no this is done by SYSCALL and SYSENTER https://www.felixcloutier.com/x86/syscall https://www.felixcloutier.com/x86/sysenter This page https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines explain the difference but still hard to grasp or understand it from one reading, hence i am trying (or failing) to make clearer a little. With each level different checks are performed for security, errors, ... Zw calls are essentially to be called directly and exclusively form drivers and the kernel, Nt calls are less strict yet these Nt call are the ones that will check for privileges to perform/acces from User more process, while Zw are the ultimate to decide as there is many of them will simply refuse to execute because the calling thread is not kernel one, Nt will refuse to execute if you don't have user mode privileges. Take as example CloseHandle, this function does close almost everything yet it called CloseHandle, there is NtCloseHandle, but there is no ZwCloseHandle, there is ZwClose that perform all the closing in the kernel. Now i drifted far form the question and your comment (but for IMO good reason), NtCreateThreadEx is the real function behind CreateThread (which in fact is calling NtCreateThread) from the User Mode and will perform the same functionality but it does have the last check for privileges and context to execute or invoke a new thread. Not sure if this was clear, i just hope.

The GetSystemTimes call reminds me of System.Threading.TThreadPool.TThreadPoolMonitor.Execute which calls TThread.GetCPUUsage all the time. See https://quality.embarcadero.com/browse/RSP-43540

There are other ways for a thread to get started, but ignoring that and assuming it was created with CreateThread, one could simply place a breakpoint on the CreateThread import in Winapi.Windows and investigate the call stack as the threads gets crated.

In the program to be monitored, add code to make it answer to a message (for example a TCP socket or a pipe or a Windows message). Write a second program launch the first and periodically connect to the main program and check if he gets an answer. If no answer, it kills the program et start it again. When the second program starts the first (CreateProcess), it gets an handle that can be waited to catch when the program stops normally.

It is a bug in Delphi 12 (and also Patch 1): https://quality.embarcadero.com/browse/RSP-42675, reported 3 month ago. You need to unload the project and load it again when switching from debug to release or vice versa.

https://github.com/Pigrecos/TensorFlow.Delphi TensorFlow.Delphi provides a Delphi(Pascal)Standard binding for tensorflow It aims to implement the complete Tensorflow API in Delphi which allows Pascal developers to develop, train and deploy Machine Learning models with the Pascal Delphi(porting to free pascal in the future). Note: This is a work-in-progress. please treat it as such.Pull request are welcome

I believe Embarcadero strip comments as part of their build process.