waliedassar

ThreadWow64Context

Feb 2nd, 2013
172
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Link against call64.lib. In the link below you can find call64.lib, call64.dll, and
  5. //call64.h
  6. //https://code.google.com/p/ollytlscatch/downloads/detail?name=Call64.zip
  7.  
  8. #include "stdafx.h"
  9. #include "windows.h"
  10. #include "stdio.h"
  11. #include "Call64.h"
  12.  
  13.  
  14. #define ThreadWow64Context           0x1D
  15. #define CONTEXT_ALL 0x1003F
  16.  
  17.  
  18. int __stdcall ZwSetInformationThread64(HANDLE hThread,unsigned long ThreadInformationClass,
  19.                                         unsigned long* ThreadInformation,unsigned long ThreadInformationLength)
  20. {
  21.     LARGE_INTEGER_ loc_hThread={0};
  22.         loc_hThread.Low=(unsigned long)hThread;
  23.         if(hThread==(HANDLE)0xFFFFFFFE) loc_hThread.High=0xFFFFFFFF;
  24.     LARGE_INTEGER_ loc_ThreadInformationClass={(unsigned long)ThreadInformationClass,0};
  25.     LARGE_INTEGER_ loc_ThreadInformation={(unsigned long)ThreadInformation,0};
  26.     LARGE_INTEGER_ loc_ThreadInformationLength={(unsigned long)ThreadInformationLength,0};
  27.    
  28.     LARGE_INTEGER_ ret;
  29.     bool B=Call64(&ret,0x0A,0x4,&loc_hThread,&loc_ThreadInformationClass,&loc_ThreadInformation,&loc_ThreadInformationLength);
  30.     if(B) return ret.Low;
  31. }
  32.  
  33. void ThreadProc2()
  34. {
  35.     printf("Thread Procedure 2 called - Execution redirected\r\n");
  36.     ExitThread(0);
  37.     return;
  38. }
  39.  
  40. void ThreadProc()
  41. {
  42.     printf("Thread Procedure 1 called \r\n");
  43.     Sleep(INFINITE);
  44.     return;
  45. }
  46.  
  47. void main()
  48. {
  49.     unsigned long tid=0;
  50.     HANDLE hThread=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&ThreadProc,0,CREATE_SUSPENDED,&tid);
  51.     if(!hThread) return;
  52.     CONTEXT* pCTX=(CONTEXT*)VirtualAlloc(0,0x1000,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  53.     pCTX->ContextFlags=CONTEXT_ALL;
  54.     GetThreadContext(hThread,pCTX);
  55.  
  56.     *(unsigned long*)(((unsigned char*)(pCTX))+0xB8)=(unsigned long)(&ThreadProc2);
  57.     int ret=ZwSetInformationThread64(hThread,ThreadWow64Context,(unsigned long*)pCTX,sizeof(CONTEXT));
  58.     if(ret<0)   printf("Error: %x\r\n",ret);
  59.     else
  60.     {
  61.         printf("Okay\r\n");
  62.         ResumeThread(hThread);
  63.     }
  64.     Sleep(INFINITE);
  65.     return;
  66. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×