waliedassar

SuppressDllMains --> SkipThreadAttach

Dec 7th, 2012
483
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://www.waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //---------------code of walied.dll (the dummy dll)----
  5. //-----------------------------------------------------
  6. //-----------------------------------------------------
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11. BOOL APIENTRY DllMain(HANDLE hModule,int reason,void*)
  12. {
  13.     if(reason==DLL_THREAD_ATTACH)
  14.     {
  15.         MessageBox(0,"Thread attached","waliedassar",0);
  16.     }
  17.     else if(reason==DLL_THREAD_DETACH)
  18.     {
  19.         MessageBox(0,"Thread detached","waliedassar",0);
  20.     }
  21.     return TRUE;
  22. }
  23. //================================================================
  24. //================================================================
  25. //-----------code of main executable-------------------
  26. #include "stdafx.h"
  27. #include "windows.h"
  28. #include "stdio.h"
  29.  
  30. //--------------------Definitions--------------------------
  31. #define CreateSuspended  0x1
  32. #define SuppressDllMains 0x2
  33. #define HideFromDebugger 0x4
  34. //--TEB bit flags--
  35. #define DisableATlThunkEmulation 0x1
  36. #define InDebugPrint             0x2
  37. #define HasFiberData             0x4
  38. #define SkipThreadAttach         0x8
  39. #define WerShipAssert            0x10
  40. #define RanProcessInit           0x20
  41. #define ClonedThread             0x40
  42. #define SuppressDebugMsg         0x80
  43. #define CORSpecific              0x400 //.net application
  44. //--------------------Structures-------------------------
  45. struct UNICODE_S
  46. {
  47.         unsigned short len;
  48.         unsigned short max;
  49.         wchar_t* pStr;
  50. };
  51. struct OBJECT_ATTRIBUTES
  52. {
  53.   unsigned long           Length;
  54.   HANDLE                  RootDirectory;
  55.   UNICODE_S*              ObjectName;
  56.   unsigned long           Attributes;
  57.   void*           SecurityDescriptor;
  58.   void*           SecurityQualityOfService;
  59. };
  60. //----------------------------------------------------------
  61. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
  62. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
  63. unsigned long Flags,unsigned long StackZeroBits,
  64. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
  65. void* lpBytesBuffer);
  66.  
  67.  
  68. void Watch(unsigned char* pTEB)
  69. {
  70.     printf("New Thread\r\n");
  71.     return;
  72. }
  73.  
  74. int main(int argc, char* argv[])
  75. {
  76.  
  77.     //---------Load a dummy dll-------------
  78.     LoadLibrary("walied.dll");
  79.  
  80.     unsigned long tid=0;
  81.     HANDLE hT=0;
  82.  
  83.     FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
  84.     if(ZwCreateThreadEx)
  85.     {
  86.              HANDLE hThread=0;
  87.              ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&Watch,0,
  88.                                     /*you can replace this flag with 0*/SuppressDllMains,
  89.                                     0,0x1000,0x10000,0);
  90.             ResumeThread(hThread);
  91.             WaitForSingleObject(hThread,INFINITE);
  92.     }
  93.     return 0;
  94. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×