C++隐藏线程

阿华么

已于 2022-09-08 11:25:07 修改

阅读量677

点赞数 1

分类专栏：逆向对抗 C++学习文章标签： c++ windows 开发语言

于 2022-09-08 11:05:30 首次发布

本文链接：https://blog.csdn.net/LiWeiHua01/article/details/126760622

版权

C++学习同时被 2 个专栏收录

14 篇文章 0 订阅

订阅专栏

逆向对抗

4 篇文章 0 订阅

订阅专栏

代码如下 X86编译

void* m_Ntdll = GetProcAddress(GetModuleHandleA(("ntdll.dll")), ("RtlInterlockedCompareExchange64"));
void* m_CreateRemoteThreadEx = GetProcAddress(GetModuleHandleA(("KERNELBASE.dll")), ("CreateRemoteThreadEx"));

const DWORD ntdll170 = (DWORD)m_Ntdll + 0x170;
const DWORD CreateRemoteThreadKernel = (DWORD)m_CreateRemoteThreadEx;

void __declspec(naked) CopyZwCreateThread()
{
	__asm
	{
		mov eax, 0x4E
		mov edx, ntdll170
		call edx
		ret 0x20
	}
}

HANDLE __declspec(naked) __stdcall CopyCreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,
	SIZE_T dwStackSize,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	DWORD dwCreationFlags,
	LPDWORD lpThreadId)
{
	__asm
	{
		mov edi, edi
		push ebp
		mov ebp, esp
		push[ebp + 0x1C]
		mov eax, [ebp + 0x18]
		push 0
		and eax, 0x10004
		push eax
		push[ebp + 0x14]
		push[ebp + 0x10]
		push[ebp + 0xC]
		push[ebp + 8]
		push - 1
		call CreateRemoteThreadKernel
		pop ebp
		ret 0x18
	}
}

调用例子

void MainThread()
{
	while (true)
	{

		MessageBox(0,L"CopyCreateThread测试",L"CopyCreateThread测试",NULL);
		Sleep(2000);
	}

}
CopyCreateThread(0, 0, (LPTHREAD_START_ROUTINE)MainThread, 0, 0, 0);