Trigger STATUS_GUARD_VIOLATION

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //Code to trigger STATUS_GUARD_PAGE_VIOLATION in a nerdy way.
4. #include "stdafx.h"
5. #include "windows.h"
6. #include "stdio.h"
7. #define ThreadBasicInformation 0x0
8. struct THREAD_BASIC_INFORMATION
9. {
10.         unsigned long ExitStatus;
11.         unsigned long TEBAddress;
12.         unsigned long shit[0x5]; //Only to preserve the structure's size
13. };
14. extern "C"
15. {
16.         int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,THREAD_BASIC_INFORMATION*,unsigned long,unsigned long*);
17. }
18. int dummy()
19. {
20.     int x=0;
21.     int y=x+1;
22.     Sleep(INFINITE);
23.     return y;
24. }
25. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
26. {
27.     if(pRec->ExceptionCode==0x80000001)
28.     {
29.         MessageBox(0,"Expected","waliedassar",0);
30.         ExitProcess(0);
31.     }
32.     return ExceptionContinueSearch;
33. }
34. void main()
35. {
36.     //--------------Install Exception Handler----------------------------
37.     __asm
38.     {
39.         push offset Handler
40.         push dword ptr fs:[0x0]
41.         mov dword ptr fs:[0x0],esp
42.     }
43.     //-------------Create a new thread and extract some info------------
44.     unsigned long tid=0;
45.     HANDLE h=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&dummy,0,0,&tid);
46.     if(!h) return;
47.     printf("Thread %x has been created.\r\n",tid);
48.     THREAD_BASIC_INFORMATION TBI={0};
49.     ZwQueryInformationThread(h,ThreadBasicInformation,&TBI,sizeof(TBI),0);
50.     printf("Thread TEB at %x\r\n",TBI.TEBAddress);
51.     char* p=(char*)(TBI.TEBAddress);
52.     unsigned long StackBase=*(unsigned long*)(p+0x4);
53.     unsigned long StackCurrPointer=*(unsigned long*)(p+0x8);
54.     printf("Thread Stack base: %x\r\n",StackBase);
55.     printf("Thread Stack Current: %x\r\n",StackCurrPointer);
56.     //--------------Trigger the STATUS_GUARD_VIOLATION------------------
57.     MEMORY_BASIC_INFORMATION MBI={0};
58.     if(VirtualQuery((void*)(StackCurrPointer-0x1000),&MBI,sizeof(MBI)))
59.     {
60.          printf("Protect: %x\r\n",MBI.Protect);
61.          unsigned long px=StackCurrPointer-0x1000;
62.          unsigned char x=*(unsigned char*)px;
63.     }
64.     //--------------------------------------------------------------
65.     ExitProcess(0);
66. }