XR3X

Jump to content


Photo

NtCreateThreadEx (Hidden Thread) [FASM]


  • You cannot start a new topic
  • Please log in to reply
No replies to this topic

#1 Jochen

Jochen

    Intermediate Member

  • Notorious
  • 149 posts
Contributor

Posted 19 January 2015 - 06:56 PM

include 'win32ax.inc'
entry main

main:


      xor eax,eax
      push eax
      push eax
      push eax
      push eax
      push 0x4;THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER
      push eax
      push ContinueExecution
      push -1
      push eax

      push 0x001fffff
      lea eax,[ebp-4]
      push eax

      call [NtCreateThreadEx]

      test eax,eax
      js @f

      push 0xffffffff
      push dword [ebp-4]
      call [WaitForSingleObject]
      @@: push 0
      call [ExitProcess]


ContinueExecution: ; When a break point is set , this is not executed in a debugger.


      push MB_OK
      push szOkay
      push szOkay
      push 0
      call [MessageBoxA]

.leave:
      push 0
      call [ExitProcess]


    szOkay db 'Everything is Okay!!!',0


    section '.idata' import data readable writeable
    library kernel32,'kernel32.dll',user32,'user32.dll',\
            ntdll,'ntdll.dll'

    import ntdll,\
           ZwSetInformationProcess,'ZwSetInformationProcess',\
           NtQueryInformationThread,'NtQueryInformationThread',\
           NtCreateThreadEx,'NtCreateThreadEx'

    include "%include%/api/kernel32.inc"
    include "%include%/api/user32.inc"