waliedassar

TEB As Anti-Memory Breakpoints

Oct 20th, 2012
815
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Code to bypass Memory Breakpoints (whether PAGE_GUARD or PAGE_NOACCESS)
  3. //Depends on the fact that TEB's (or PEB's) memory protection can not be non-writable or guarded, but can still be eXecutable.
  4. //In this case, i create a dummy thread in a suspended state and then use its TEB memory for executing code.
  5. //Warning: never resume the thread.
  6. #include "stdafx.h"
  7. #include "windows.h"
  8. #include "stdio.h"
  9. #pragma comment(linker,"/OPT:NOREF")
  10. #define ThreadBasicInformation 0x0
  11. struct THREAD_BASIC_INFORMATION
  12. {
  13.     unsigned long ExitStatus;
  14.     unsigned long TEBAddress;
  15.     unsigned long shit[0x5]; //Only to preserve the structure's size
  16. };
  17. extern "C"
  18. {
  19.     int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,THREAD_BASIC_INFORMATION*,unsigned long,unsigned long*);
  20. }
  21. int dummy()
  22. {
  23.     int x=0;
  24.     int y=x;
  25.     return y;
  26. }
  27.  
  28. void Shit()
  29. {
  30.     MessageBox(0,"Nothing interesting","waliedassar",0);
  31.     return;
  32. }
  33.  
  34. void main()
  35. {
  36.     unsigned long tid=0;
  37.     HANDLE hThread=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&dummy,0,CREATE_SUSPENDED,&tid);
  38.     if(hThread)
  39.     {
  40.         THREAD_BASIC_INFORMATION TBI={0};
  41.         if(ZwQueryInformationThread(hThread,ThreadBasicInformation,&TBI,sizeof(TBI),0)>=0)
  42.         {
  43.             //Make it executable
  44.             char* p=(char*)VirtualAlloc((void*)(TBI.TEBAddress),0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
  45.             //Destroy and never resume
  46.             memset(p,0x90,0x1000);
  47.             memcpy(p,&Shit,0x1000);
  48.             __asm
  49.             {
  50.                 mov eax,p
  51.                 call eax //
  52.             }
  53.             ExitProcess(0);
  54.         }
  55.     }
  56. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×