SHARE
TWEET

ZwCreateThreadEx/HiddenFromDebugger

waliedassar Nov 21st, 2012 930 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In Windows versions that have ntdll.dll exporting NtCreateThreadEx, settings the 7th parameter
  4. //passed to NtCreateThreadEx to 0x4 can cause the new thread to be hidden from debuggers.
  5. #include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9. struct UNICODE_S
  10. {
  11.         unsigned short len;
  12.         unsigned short max;
  13.         wchar_t* pStr;
  14. };
  15. struct OBJECT_ATTRIBUTES
  16. {
  17.   unsigned long           Length;
  18.   HANDLE                  RootDirectory;
  19.   UNICODE_S*              ObjectName;
  20.   unsigned long           Attributes;
  21.   void*           SecurityDescriptor;
  22.   void*           SecurityQualityOfService;
  23. };
  24.  
  25. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
  26. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
  27. unsigned long CreateSuspended_Flags,unsigned long StackZeroBits,
  28. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
  29. void* lpBytesBuffer);
  30.  
  31. void dummy()
  32. {
  33.         MessageBox(0,"A new thread hidden from debuggers has been created!","waliedassar",0);
  34.         return;
  35. }
  36.  
  37. void main()
  38. {
  39.         FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
  40.         if(ZwCreateThreadEx)
  41.         {
  42.                 HANDLE hThread=0;
  43.                 ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&dummy,0,
  44.                                     0x4/*HiddenFromDebugger*/,0,0x1000,0x10000,0);
  45.                 if(hThread)
  46.                 {
  47.                         WaitForSingleObject(hThread,INFINITE);
  48.                 }
  49.         }
  50. }
RAW Paste Data
Top