Hello everyone,
One of Hyperion’s lesser-known features is its selective thread spawning mechanism, which involves hooks on NtCreateThread, NtCreateThreadEx, and LdrInitializeThunk. By intercepting these system calls, Hyperion can monitor and filter all threads created within its protected process.
In my latest blog post, I reverse engineer each of these functions, breaking down the logic and identifying the various checks that must be satisfied before a thread is allowed to run. You can read the full write-up here.
I have also developed a simple proof-of-concept bypass that allows you to spawn threads externally in Roblox using CreateRemoteThreadEx. The bypass is linked near the end of the blog, so I recommend reading the entire post to understand the underlying mechanics. Many of these details are rarely discussed elsewhere.
