Advertisement
waliedassar

TEB As Anti-Memory Breakpoints

Oct 20th, 2012
1,573
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.52 KB | None | 0 0
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Code to bypass Memory Breakpoints (whether PAGE_GUARD or PAGE_NOACCESS)
  3. //Depends on the fact that TEB's (or PEB's) memory protection can not be non-writable or guarded, but can still be eXecutable.
  4. //In this case, i create a dummy thread in a suspended state and then use its TEB memory for executing code.
  5. //Warning: never resume the thread.
  6. #include "stdafx.h"
  7. #include "windows.h"
  8. #include "stdio.h"
  9. #pragma comment(linker,"/OPT:NOREF")
  10. #define ThreadBasicInformation 0x0
  11. struct THREAD_BASIC_INFORMATION
  12. {
  13.     unsigned long ExitStatus;
  14.     unsigned long TEBAddress;
  15.     unsigned long shit[0x5]; //Only to preserve the structure's size
  16. };
  17. extern "C"
  18. {
  19.     int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,THREAD_BASIC_INFORMATION*,unsigned long,unsigned long*);
  20. }
  21. int dummy()
  22. {
  23.     int x=0;
  24.     int y=x;
  25.     return y;
  26. }
  27.  
  28. void Shit()
  29. {
  30.     MessageBox(0,"Nothing interesting","waliedassar",0);
  31.     return;
  32. }
  33.  
  34. void main()
  35. {
  36.     unsigned long tid=0;
  37.     HANDLE hThread=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&dummy,0,CREATE_SUSPENDED,&tid);
  38.     if(hThread)
  39.     {
  40.         THREAD_BASIC_INFORMATION TBI={0};
  41.         if(ZwQueryInformationThread(hThread,ThreadBasicInformation,&TBI,sizeof(TBI),0)>=0)
  42.         {
  43.             //Make it executable
  44.             char* p=(char*)VirtualAlloc((void*)(TBI.TEBAddress),0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
  45.             //Destroy and never resume
  46.             memset(p,0x90,0x1000);
  47.             memcpy(p,&Shit,0x1000);
  48.             __asm
  49.             {
  50.                 mov eax,p
  51.                 call eax //
  52.             }
  53.             ExitProcess(0);
  54.         }
  55.     }
  56. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement