메모리에서 특정 코드로 시작하는 스레드를 찾는 코드이다. 주로 코드 인젝션을 통해 다른 프로세스에 코드가 인젝션 되었는지 확인할 때 사용하면 된다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
 
#define ThreadQuerySetWin32StartAddress 9  
 
using namespace std;
typedef NTSTATUS(WINAPI *NtQueryInformationThreadT)(HANDLE ThreadHandle, ULONG ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength);
 
BOOL GetThreadStartAddress(DWORD tid, PVOID *EntryPoint);
BOOL CompareBinary(CHAR Buffer[]);
 
int main()
{
    BOOL result;
    THREADENTRY32 t32;
    PVOID EntryPoint;
    HANDLE hProc;
    CHAR Buffer[0x100];
    DWORD NumberofByteRead;
    HANDLE hSnap;
 
    printf("\n[*] Memory Detection - Reverse_L01.exe\n");
 
    /* Create a Snapshot Handle */
    hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if (hSnap == INVALID_HANDLE_VALUE)
        return 0;
 
    /* if you don't initialize THREADENTRY32.dwSize, Thread32First API fails */
    t32.dwSize = sizeof(THREADENTRY32);
    if (Thread32First(hSnap, &t32))
    {
        do
        {
            result = GetThreadStartAddress(t32.th32ThreadID, &EntryPoint);
            if ((DWORD)EntryPoint == 0x1)
            {
                continue;
            }
            hProc = OpenProcess(PROCESS_VM_READ, 0, t32.th32OwnerProcessID);
            ReadProcessMemory(hProc, EntryPoint, Buffer, 0x100&NumberofByteRead);
 
            if (CompareBinary(Buffer))
            {
                printf("\t+ Detect It, Process ID : %d, Thread ID : %d, EntryPoint :0x%X\n", t32.th32OwnerProcessID, t32.th32ThreadID, EntryPoint);
            }
        } while (Thread32Next(hSnap, &t32));
    }
    CloseHandle(hSnap);
    
    return 0;
}
 
BOOL GetThreadStartAddress(DWORD tid, PVOID *EntryPoint)
{
    PVOID ThreadInfo;
    ULONG ThreadInfoLength;
    PULONG ReturnLength;
 
    HMODULE hNtdll = LoadLibrary("ntdll.dll");
    NtQueryInformationThreadT NtQueryInformationThread = (NtQueryInformationThreadT)GetProcAddress(hNtdll, "NtQueryInformationThread");
    
    if (!NtQueryInformationThread)
        return FALSE;
 
    /* if NtQueryInformationThread's THREADINFOCALSS is a ThreadQurtySetWin32StartAddress, return start address of thread */
    HANDLE hThread = OpenThread(THREAD_QUERY_INFORMATION, 0, tid);
    NTSTATUS NtStat = NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &ThreadInfo, sizeof(ThreadInfo), NULL);
    
    *EntryPoint = ThreadInfo;
    return TRUE;
}
 
BOOL CompareBinary(CHAR Buffer[])
{
    char CmpCode[0x67= { '\x6A''\x00''\x68''\x00''\x20''\x40''\x00''\x68''\x12''\x20''\x40''\x00',
        '\x6A''\x00''\xE8''\x4E''\x00''\x00''\x00''\x68''\x94''\x20''\x40''\x00''\xE8''\x38',
        '\x00''\x00''\x00''\x46''\x48''\xEB''\x00''\x46''\x46''\x48''\x3B''\xC6''\x74''\x15',
        '\x6A''\x00''\x68''\x35''\x20''\x40''\x00''\x68''\x3B''\x20''\x40''\x00''\x6A''\x00',
        '\xE8''\x26''\x00''\x00''\x00''\xEB''\x13''\x6A''\x00''\x68''\x5E''\x20''\x40''\x00',
        '\x68''\x64''\x20''\x40''\x00''\x6A''\x00''\xE8''\x11''\x00''\x00''\x00''\xE8''\x06',
        '\x00''\x00''\x00''\xFF''\x25''\x50''\x30''\x40''\x00''\xFF''\x25''\x54''\x30''\x40',
        '\x00''\xFF''\x25''\x5C''\x30''\x40''\x00' };
 
    for (int i = 0; i < sizeof(CmpCode); i++)
    {
        if ((BYTE)CmpCode[i] != (BYTE)Buffer[i])
        {
            return FALSE;
        }
    }
    return TRUE;
}
 
cs