Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <cinttypes>
- #include <time.h>
- typedef struct _CLIENT_ID
- {
- PVOID UniqueProcess;
- PVOID UniqueThread;
- } CLIENT_ID, * PCLIENT_ID;
- typedef NTSTATUS(NTAPI* RtlCreateUserThread_t)
- (
- IN HANDLE ProcessHandle,
- IN PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN BOOLEAN CreateSuspended,
- IN ULONG StackZeroBits,
- IN OUT PULONG StackReserved,
- IN OUT PULONG StackCommit,
- IN PVOID StartAddress,
- IN PVOID StartParameter,
- OUT PHANDLE ThreadHandle,
- OUT PCLIENT_ID ClientID
- );
- HANDLE CreateSpoofedThread(void* thread, HMODULE hMod)
- {
- srand(time(NULL));
- SIZE_T DEFAULT_THREAD_SIZE = 0x400;
- // Load ntdll
- LoadLibraryA("ntdll");
- auto hNtdll = GetModuleHandleA("ntdll");
- if (!hNtdll) return nullptr;
- auto _RtlCreateUserThread = GetProcAddress(hNtdll, "RtlCreateUserThread");
- if (!_RtlCreateUserThread) return nullptr;
- // Spoofed address
- std::uintptr_t tAddress = NULL;
- // Generate random memory address
- for (int i = 1; i < 4; ++i)
- for (int j = 1; j < 4; j++)
- tAddress |= (rand() & 0xFF) << i * 8;
- // Make sure it's not out-of-bounds
- while (tAddress < INT32_MAX)
- tAddress -= INT16_MAX;
- // VP the memory address
- VirtualProtect(reinterpret_cast<LPVOID>(tAddress), DEFAULT_THREAD_SIZE, PAGE_EXECUTE_READWRITE, nullptr);
- CONTEXT tContext;
- HANDLE tHandle = nullptr;
- RtlCreateUserThread_t RtlCreateUserThread_f = reinterpret_cast<RtlCreateUserThread_t>(_RtlCreateUserThread);
- RtlCreateUserThread_f(GetCurrentProcess(), nullptr, TRUE, NULL, nullptr, nullptr, (PTHREAD_START_ROUTINE)tAddress, hMod, &tHandle, nullptr);
- if (!tHandle) return nullptr;
- tContext.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
- GetThreadContext(tHandle, &tContext);
- #ifdef _WIN32
- tContext.Eax = reinterpret_cast<ULONG32>(thread);
- #else
- tContext.Rcx = reinterpret_cast<ULONG64>(thread);
- #endif
- tContext.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
- SetThreadContext(tHandle, &tContext);
- ResumeThread(tHandle);
- return tHandle;
- }
RAW Paste Data