ZwCreateThreadEx/HiddenFromDebugger

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //In Windows versions that have ntdll.dll exporting NtCreateThreadEx, settings the 7th parameter
4. //passed to NtCreateThreadEx to 0x4 can cause the new thread to be hidden from debuggers.
5. #include "stdafx.h"
6. #include "windows.h"
7. #include "stdio.h"
8.  
9. struct UNICODE_S
10. {
11.     unsigned short len;
12.     unsigned short max;
13.     wchar_t* pStr;
14. };
15. struct OBJECT_ATTRIBUTES
16. {
17.   unsigned long           Length;
18.   HANDLE                  RootDirectory;
19.   UNICODE_S*              ObjectName;
20.   unsigned long           Attributes;
21.   void*           SecurityDescriptor;
22.   void*           SecurityQualityOfService;
23. };
24.  
25. typedef int(__stdcall *FUNC)(HANDLE* hThread,int DesiredAccess,OBJECT_ATTRIBUTES* ObjectAttributes,
26. HANDLE ProcessHandle,void* lpStartAddress,void* lpParameter,
27. unsigned long CreateSuspended_Flags,unsigned long StackZeroBits,
28. unsigned long SizeOfStackCommit,unsigned long SizeOfStackReserve,
29. void* lpBytesBuffer);
30.  
31. void dummy()
32. {
33.     MessageBox(0,"A new thread hidden from debuggers has been created!","waliedassar",0);
34.     return;
35. }
36.  
37. void main()
38. {
39.     FUNC ZwCreateThreadEx=(FUNC)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwCreateThreadEx");
40.     if(ZwCreateThreadEx)
41.     {
42.         HANDLE hThread=0;
43.         ZwCreateThreadEx(&hThread,0x1FFFFF,0,GetCurrentProcess(),&dummy,0,
44.                         0x4/*HiddenFromDebugger*/,0,0x1000,0x10000,0);
45.         if(hThread)
46.         {
47.             WaitForSingleObject(hThread,INFINITE);
48.         }
49.     }
50. }