TEB As Anti-Memory Breakpoints

1. //http://waleedassar.blogspot.com (@waleedassar)
2. //Code to bypass Memory Breakpoints (whether PAGE_GUARD or PAGE_NOACCESS)
3. //Depends on the fact that TEB's (or PEB's) memory protection can not be non-writable or guarded, but can still be eXecutable.
4. //In this case, i create a dummy thread in a suspended state and then use its TEB memory for executing code.
5. //Warning: never resume the thread.
6. #include "stdafx.h"
7. #include "windows.h"
8. #include "stdio.h"
9. #pragma comment(linker,"/OPT:NOREF")
10. #define ThreadBasicInformation 0x0
11. struct THREAD_BASIC_INFORMATION
12. {
13.     unsigned long ExitStatus;
14.     unsigned long TEBAddress;
15.     unsigned long shit[0x5]; //Only to preserve the structure's size
16. };
17. extern "C"
18. {
19.     int __stdcall ZwQueryInformationThread(HANDLE,unsigned long,THREAD_BASIC_INFORMATION*,unsigned long,unsigned long*);
20. }
21. int dummy()
22. {
23.     int x=0;
24.     int y=x;
25.     return y;
26. }
27.  
28. void Shit()
29. {
30.     MessageBox(0,"Nothing interesting","waliedassar",0);
31.     return;
32. }
33.  
34. void main()
35. {
36.     unsigned long tid=0;
37.     HANDLE hThread=CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)&dummy,0,CREATE_SUSPENDED,&tid);
38.     if(hThread)
39.     {
40.         THREAD_BASIC_INFORMATION TBI={0};
41.         if(ZwQueryInformationThread(hThread,ThreadBasicInformation,&TBI,sizeof(TBI),0)>=0)
42.         {
43.             //Make it executable
44.             char* p=(char*)VirtualAlloc((void*)(TBI.TEBAddress),0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
45.             //Destroy and never resume
46.             memset(p,0x90,0x1000);
47.             memcpy(p,&Shit,0x1000);
48.             __asm
49.             {
50.                 mov eax,p
51.                 call eax //
52.             }
53.             ExitProcess(0);
54.         }
55.     }
56. }