Advertisement
waliedassar

ZwCreateThreadEx/HiddenFromDebugger

Nov 21st, 2012
2,428
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.46 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In Windows versions that have ntdll.dll exporting NtCreateThreadEx, settings the 7th parameter
  4. //passed to NtCreateThreadEx to 0x4 can cause the new thread to be hidden from debuggers.
  5. #include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9. struct UNICODE_S
  10. {
  11.     unsigned short len;
  12.     unsigned short max;
  13.     wchar_t* pStr;
  14. };
  15. struct OBJECT_ATTRIBUTES
  16. {
  17.   unsigned long           Length;
  18.   HANDLE                  RootDirectory;
  19.   UNICODE_S*              ObjectName;
  20.   unsigned long           Attributes;
  21.   void*           SecurityDescriptor;
  22.   void*           SecurityQualityOfService;
  23. };
  24.  
  25. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
  26. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
  27. unsigned long CreateSuspended_Flags,unsigned long StackZeroBits,
  28. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
  29. void* lpBytesBuffer);
  30.  
  31. void dummy()
  32. {
  33.     MessageBox(0,"A new thread hidden from debuggers has been created!","waliedassar",0);
  34.     return;
  35. }
  36.  
  37. void main()
  38. {
  39.     FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
  40.     if(ZwCreateThreadEx)
  41.     {
  42.         HANDLE hThread=0;
  43.         ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&dummy,0,
  44.                         0x4/*HiddenFromDebugger*/,0,0x1000,0x10000,0);
  45.         if(hThread)
  46.         {
  47.             WaitForSingleObject(hThread,INFINITE);
  48.         }
  49.     }
  50. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement