waliedassar

ZwCreateThreadEx/HiddenFromDebugger

Nov 21st, 2012
1,638
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In Windows versions that have ntdll.dll exporting NtCreateThreadEx, settings the 7th parameter
  4. //passed to NtCreateThreadEx to 0x4 can cause the new thread to be hidden from debuggers.
  5. #include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9. struct UNICODE_S
  10. {
  11.     unsigned short len;
  12.     unsigned short max;
  13.     wchar_t* pStr;
  14. };
  15. struct OBJECT_ATTRIBUTES
  16. {
  17.   unsigned long           Length;
  18.   HANDLE                  RootDirectory;
  19.   UNICODE_S*              ObjectName;
  20.   unsigned long           Attributes;
  21.   void*           SecurityDescriptor;
  22.   void*           SecurityQualityOfService;
  23. };
  24.  
  25. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
  26. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
  27. unsigned long CreateSuspended_Flags,unsigned long StackZeroBits,
  28. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
  29. void* lpBytesBuffer);
  30.  
  31. void dummy()
  32. {
  33.     MessageBox(0,"A new thread hidden from debuggers has been created!","waliedassar",0);
  34.     return;
  35. }
  36.  
  37. void main()
  38. {
  39.     FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
  40.     if(ZwCreateThreadEx)
  41.     {
  42.         HANDLE hThread=0;
  43.         ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&dummy,0,
  44.                         0x4/*HiddenFromDebugger*/,0,0x1000,0x10000,0);
  45.         if(hThread)
  46.         {
  47.             WaitForSingleObject(hThread,INFINITE);
  48.         }
  49.     }
  50. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×