therealdreg/remote_thread_wow64ext.c

## remote_thread_wow64ext.c
/*
Create Remote Thread by Dreg - dreg@fr33project.org for https://github.com/rwfpl/rewolf-wow64ext
http://www.fr33project.org/
https://github.com/David-Reguera-Garcia-Dreg
*/

#include "stdafx.h"
#include "wow64ext.h"

DWORD WINAPI MyThreadFunction(LPVOID lpParam)
{
    printf("Thread: %d Arg: %d\n", GetCurrentThreadId(), lpParam);

    return 0;
}

typedef struct
{
    PVOID UniqueProcess;
    PVOID UniqueThread;
} MY_CLIENT_ID, *PCLIENT_ID;

typedef long(WINAPI * _RtlCreateUserThread)(HANDLE,
    PSECURITY_DESCRIPTOR,
    BOOLEAN, ULONG,
    PULONG, PULONG,
    PVOID, PVOID,
    PHANDLE, PCLIENT_ID);

 _RtlCreateUserThread RtlCreateUserThread = (_RtlCreateUserThread)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateUserThread");

int main()
{
    HANDLE thread_handle;
    MY_CLIENT_ID cid = { 0 };

    printf("RtlCreateUserThread: 0x%X\n", RtlCreateUserThread);

    RtlCreateUserThread(
        GetCurrentProcess(),
        NULL,
        FALSE,
        0,
        0,
        0,
        (PVOID)MyThreadFunction,
        (PVOID)1234,
        &thread_handle,
        &cid
    );

    STARTUPINFOW si = { 0 };
    PROCESS_INFORMATION pi = { 0 };

    si.cb = sizeof(si);

    CreateProcessW(
        L"C:\\windows\\sysnative\\cmd.exe",
        NULL,
        NULL,
        NULL,
        FALSE,
        CREATE_NEW_CONSOLE,
        NULL,
        NULL,
        &si,
        &pi
    );

    puts("Sleeping 3 secs to finish the remote x64 cmd via Remote Thread NtTerminateProcess...");

    Sleep(3000);

    CloseHandle64(
        MyCreateRemoteThread64((DWORD64)pi.hProcess, (DWORD64)GetProcAddress64(GetModuleHandle64(L"ntdll.dll"), "NtTerminateProcess"), (DWORD64)0)
    );

    puts("done!, press enter to exit");

    getchar();

    return 0;
}
	/*
	Create Remote Thread by Dreg - dreg@fr33project.org for https://github.com/rwfpl/rewolf-wow64ext
	http://www.fr33project.org/
	https://github.com/David-Reguera-Garcia-Dreg
	*/

	#include "stdafx.h"
	#include "wow64ext.h"

	DWORD WINAPI MyThreadFunction(LPVOID lpParam)
	{
	printf("Thread: %d Arg: %d\n", GetCurrentThreadId(), lpParam);

	return 0;
	}

	typedef struct
	{
	PVOID UniqueProcess;
	PVOID UniqueThread;
	} MY_CLIENT_ID, *PCLIENT_ID;

	typedef long(WINAPI * _RtlCreateUserThread)(HANDLE,
	PSECURITY_DESCRIPTOR,
	BOOLEAN, ULONG,
	PULONG, PULONG,
	PVOID, PVOID,
	PHANDLE, PCLIENT_ID);

	_RtlCreateUserThread RtlCreateUserThread = (_RtlCreateUserThread)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateUserThread");

	int main()
	{
	HANDLE thread_handle;
	MY_CLIENT_ID cid = { 0 };

	printf("RtlCreateUserThread: 0x%X\n", RtlCreateUserThread);

	RtlCreateUserThread(
	GetCurrentProcess(),
	NULL,
	FALSE,
	0,
	0,
	0,
	(PVOID)MyThreadFunction,
	(PVOID)1234,
	&thread_handle,
	&cid
	);

	STARTUPINFOW si = { 0 };
	PROCESS_INFORMATION pi = { 0 };

	si.cb = sizeof(si);

	CreateProcessW(
	L"C:\\windows\\sysnative\\cmd.exe",
	NULL,
	NULL,
	NULL,
	FALSE,
	CREATE_NEW_CONSOLE,
	NULL,
	NULL,
	&si,
	&pi
	);

	puts("Sleeping 3 secs to finish the remote x64 cmd via Remote Thread NtTerminateProcess...");

	Sleep(3000);

	CloseHandle64(
	MyCreateRemoteThread64((DWORD64)pi.hProcess, (DWORD64)GetProcAddress64(GetModuleHandle64(L"ntdll.dll"), "NtTerminateProcess"), (DWORD64)0)
	);

	puts("done!, press enter to exit");

	getchar();

	return 0;
	}