SHARE
TWEET

SuppressDllMains --> SkipThreadAttach

waliedassar Dec 7th, 2012 263 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://www.waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //---------------code of walied.dll (the dummy dll)----
  5. //-----------------------------------------------------
  6. //-----------------------------------------------------
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11. BOOL APIENTRY DllMain(HANDLE hModule,int reason,void*)
  12. {
  13.         if(reason==DLL_THREAD_ATTACH)
  14.         {
  15.                 MessageBox(0,"Thread attached","waliedassar",0);
  16.         }
  17.         else if(reason==DLL_THREAD_DETACH)
  18.         {
  19.                 MessageBox(0,"Thread detached","waliedassar",0);
  20.         }
  21.         return TRUE;
  22. }
  23. //================================================================
  24. //================================================================
  25. //-----------code of main executable-------------------
  26. #include "stdafx.h"
  27. #include "windows.h"
  28. #include "stdio.h"
  29.  
  30. //--------------------Definitions--------------------------
  31. #define CreateSuspended  0x1
  32. #define SuppressDllMains 0x2
  33. #define HideFromDebugger 0x4
  34. //--TEB bit flags--
  35. #define DisableATlThunkEmulation 0x1
  36. #define InDebugPrint             0x2
  37. #define HasFiberData             0x4
  38. #define SkipThreadAttach         0x8
  39. #define WerShipAssert            0x10
  40. #define RanProcessInit           0x20
  41. #define ClonedThread             0x40
  42. #define SuppressDebugMsg         0x80
  43. #define CORSpecific              0x400 //.net application
  44. //--------------------Structures-------------------------
  45. struct UNICODE_S
  46. {
  47.         unsigned short len;
  48.         unsigned short max;
  49.         wchar_t* pStr;
  50. };
  51. struct OBJECT_ATTRIBUTES
  52. {
  53.   unsigned long           Length;
  54.   HANDLE                  RootDirectory;
  55.   UNICODE_S*              ObjectName;
  56.   unsigned long           Attributes;
  57.   void*           SecurityDescriptor;
  58.   void*           SecurityQualityOfService;
  59. };
  60. //----------------------------------------------------------
  61. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
  62. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
  63. unsigned long Flags,unsigned long StackZeroBits,
  64. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
  65. void* lpBytesBuffer);
  66.  
  67.  
  68. void Watch(unsigned char* pTEB)
  69. {
  70.         printf("New Thread\r\n");
  71.         return;
  72. }
  73.  
  74. int main(int argc, char* argv[])
  75. {
  76.  
  77.         //---------Load a dummy dll-------------
  78.         LoadLibrary("walied.dll");
  79.  
  80.         unsigned long tid=0;
  81.         HANDLE hT=0;
  82.  
  83.         FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
  84.     if(ZwCreateThreadEx)
  85.     {
  86.                      HANDLE hThread=0;
  87.              ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&Watch,0,
  88.                                     /*you can replace this flag with 0*/SuppressDllMains,
  89.                                                                         0,0x1000,0x10000,0);
  90.                         ResumeThread(hThread);
  91.                 WaitForSingleObject(hThread,INFINITE);
  92.         }
  93.         return 0;
  94. }
RAW Paste Data
Top