Advertisement
waliedassar

Trigger STATUS_GUARD_VIOLATION

Oct 22nd, 2012
444
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.07 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Code to trigger STATUS_GUARD_PAGE_VIOLATION in a nerdy way.
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7. #define ThreadBasicInformation 0x0
  8. struct THREAD_BASIC_INFORMATION
  9. {
  10.         unsigned long ExitStatus;
  11.         unsigned long TEBAddress;
  12.         unsigned long shit[0x5]; //Only to preserve the structure's size
  13. };
  14. extern "C"
  15. {
  16.         int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,THREAD_BASIC_INFORMATION*,unsigned long,unsigned long*);
  17. }
  18. int dummy()
  19. {
  20.     int x=0;
  21.     int y=x+1;
  22.     Sleep(INFINITE);
  23.     return y;
  24. }
  25. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  26. {
  27.     if(pRec->ExceptionCode==0x80000001)
  28.     {
  29.         MessageBox(0,"Expected","waliedassar",0);
  30.         ExitProcess(0);
  31.     }
  32.     return ExceptionContinueSearch;
  33. }
  34. void main()
  35. {
  36.     //--------------Install Exception Handler----------------------------
  37.     __asm
  38.     {
  39.         push offset Handler
  40.         push dword ptr fs:[0x0]
  41.         mov dword ptr fs:[0x0],esp
  42.     }
  43.     //-------------Create a new thread and extract some info------------
  44.     unsigned long tid=0;
  45.     HANDLE h=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&dummy,0,0,&tid);
  46.     if(!h) return;
  47.     printf("Thread %x has been created.\r\n",tid);
  48.     THREAD_BASIC_INFORMATION TBI={0};
  49.     ZwQueryInformationThread(h,ThreadBasicInformation,&TBI,sizeof(TBI),0);
  50.     printf("Thread TEB at %x\r\n",TBI.TEBAddress);
  51.     char* p=(char*)(TBI.TEBAddress);
  52.     unsigned long StackBase=*(unsigned long*)(p+0x4);
  53.     unsigned long StackCurrPointer=*(unsigned long*)(p+0x8);
  54.     printf("Thread Stack base: %x\r\n",StackBase);
  55.     printf("Thread Stack Current: %x\r\n",StackCurrPointer);
  56.     //--------------Trigger the STATUS_GUARD_VIOLATION------------------
  57.     MEMORY_BASIC_INFORMATION MBI={0};
  58.     if(VirtualQuery((void*)(StackCurrPointer-0x1000),&MBI,sizeof(MBI)))
  59.     {
  60.          printf("Protect: %x\r\n",MBI.Protect);
  61.          unsigned long px=StackCurrPointer-0x1000;
  62.          unsigned char x=*(unsigned char*)px;
  63.     }
  64.     //--------------------------------------------------------------
  65.     ExitProcess(0);
  66. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement