ThreadWow64Context

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. //Link against call64.lib. In the link below you can find call64.lib, call64.dll, and
5. //call64.h
6. //https://code.google.com/p/ollytlscatch/downloads/detail?name=Call64.zip
7.  
8. #include "stdafx.h"
9. #include "windows.h"
10. #include "stdio.h"
11. #include "Call64.h"
12.  
13.  
14. #define ThreadWow64Context           0x1D
15. #define CONTEXT_ALL 0x1003F
16.  
17.  
18. int __stdcall ZwSetInformationThread64(HANDLE hThread,unsigned long ThreadInformationClass,
19.                                         unsigned long* ThreadInformation,unsigned long ThreadInformationLength)
20. {
21.     LARGE_INTEGER_ loc_hThread={0};
22.         loc_hThread.Low=(unsigned long)hThread;
23.         if(hThread==(HANDLE)0xFFFFFFFE) loc_hThread.High=0xFFFFFFFF;
24.     LARGE_INTEGER_ loc_ThreadInformationClass={(unsigned long)ThreadInformationClass,0};
25.     LARGE_INTEGER_ loc_ThreadInformation={(unsigned long)ThreadInformation,0};
26.     LARGE_INTEGER_ loc_ThreadInformationLength={(unsigned long)ThreadInformationLength,0};
27.    
28.     LARGE_INTEGER_ ret;
29.     bool B=Call64(&ret,0x0A,0x4,&loc_hThread,&loc_ThreadInformationClass,&loc_ThreadInformation,&loc_ThreadInformationLength);
30.     if(B) return ret.Low;
31. }
32.  
33. void ThreadProc2()
34. {
35.     printf("Thread Procedure 2 called - Execution redirected\r\n");
36.     ExitThread(0);
37.     return;
38. }
39.  
40. void ThreadProc()
41. {
42.     printf("Thread Procedure 1 called \r\n");
43.     Sleep(INFINITE);
44.     return;
45. }
46.  
47. void main()
48. {
49.     unsigned long tid=0;
50.     HANDLE hThread=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&ThreadProc,0,CREATE_SUSPENDED,&tid);
51.     if(!hThread) return;
52.     CONTEXT* pCTX=(CONTEXT*)VirtualAlloc(0,0x1000,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
53.     pCTX->ContextFlags=CONTEXT_ALL;
54.     GetThreadContext(hThread,pCTX);
55.  
56.     *(unsigned long*)(((unsigned char*)(pCTX))+0xB8)=(unsigned long)(&ThreadProc2);
57.     int ret=ZwSetInformationThread64(hThread,ThreadWow64Context,(unsigned long*)pCTX,sizeof(CONTEXT));
58.     if(ret<0)   printf("Error: %x\r\n",ret);
59.     else
60.     {
61.         printf("Okay\r\n");
62.         ResumeThread(hThread);
63.     }
64.     Sleep(INFINITE);
65.     return;
66. }