Quantcast
Channel: Byte Crunchers » C#
Viewing all articles
Browse latest Browse all 6

Windows 8: Activation Watermark Thread Killer!

0
0

How many of you are using some kind of activation watermark remover for Windows 8? If you are one among them and a developer in heart, you must be wondering how it is done actually, right? I too was stumbled upon this question myself a few weeks back. ThreadKillerThe result, a few lines of code, which suspends the given thread. Well, I admit it is not production quality code, but the main intention was to get familiar with some Windows APIs.

UPDATE: Please pardon to interrupt you, but let me tell you something. so you are looking for ways to activate your copy of Windows 8 illegally, right? But what if you could get a genuine copy of Windows 8 for free? Read how!

So what is in it actually? The core of the project revolves round a few APIs; in fact, around NtQueryInformationThread and SymFromAddr. If you want to get more details of the concerned thread for the desktop activation watermark, see this link.
Ok, enough bla bla bla…. If a picture is worth thousand words, a few lines of code is worth a billion sentences…
The project is attached herewith, to download the project, save the below pdf and rename it to Threadkiller.Zip

Main methods in the project…

void DbgHelpWrapper::SuspendThread()
{
Process^ targetProcess = this->GetTargetProcess();
if( targetProcess == nullptr )
{
System::Diagnostics::Debug::WriteLine( String::Format(“Failed to find the target process: {0}”, this->processName ));
System::Console::WriteLine( String::Format(“Failed to find the target process: {0}”, this->processName ));
return;
}
ProcessThread^ targetThread = this->GetTargetThread( targetProcess );
if( targetThread == nullptr )
{
System::Diagnostics::Debug::WriteLine( String::Format(“Failed to find the target thread with symbol: {0}”, this->symbolName ));
System::Console::WriteLine( String::Format(“Failed to find the target thread with symbol: {0}”, this->symbolName ));
return;
}
else
{
System::Diagnostics::Debug::WriteLine( String::Format(“Target thread is in state: {0}”, targetThread->ThreadState ));
System::Console::WriteLine( String::Format(“Target thread is in state: {0}”, targetThread->ThreadState ));
HANDLE hRemoteThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, targetThread->Id);
if (hRemoteThread != 0 )
{
try
{
::SuspendThread(hRemoteThread);
}
finally
{
CloseHandle(hRemoteThread);
}
}
}
}
ProcessThread^ DbgHelpWrapper::GetTargetThread( Process^ targetProcess )
{
ProcessThreadCollection^ processThreadList = targetProcess->Threads;
DWORD dwProcessId = static_cast(targetProcess->Id);
HANDLE hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwProcessId );
try
{
DWORD dwSymSetOptStatus = SymSetOptions(SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME | SYMOPT_LOAD_LINES);
DWORD dwSymInitStatus = ERROR_SUCCESS;
DWORD dwInitializeError = ERROR_SUCCESS;;
if (!(dwSymInitStatus = SymInitialize(hRemoteProcess, NULL, TRUE))) {
dwInitializeError = Marshal::GetLastWin32Error();
System::Diagnostics::Debug::WriteLine( String::Format(“SymInitialize failed: {0} error: {1}”, dwSymInitStatus, dwInitializeError ));
System::Console::WriteLine( String::Format(“SymInitialize failed: {0} error: {1}”, dwSymInitStatus, dwInitializeError ));
return nullptr;
}
for each( ProcessThread^ thread in processThreadList)
{
if( MatchTargetSymbol(hRemoteProcess, targetProcess->Id, thread->Id ))
{
return thread;
}
}
}
finally
{
CloseHandle(hRemoteProcess);
}
return nullptr;
}
bool DbgHelpWrapper::MatchTargetSymbol( HANDLE hProcessHandle, int procId, int threadId )
{
#if _WIN64
DWORD64 dwStartAddress;
#else
DWORD dwStartAddress;
#endif
DWORD dwInitializeError;
DWORD dwThreadID = static_cast(threadId);
DWORD dwProcessId = static_cast(procId);

if (!GetThreadStartAddress( hProcessHandle, dwProcessId, dwThreadID, &dwStartAddress ))
{
dwInitializeError = Marshal::GetLastWin32Error();
System::Diagnostics::Debug::WriteLine( String::Format(“GetThreadStartAddress failed: {0}”, dwInitializeError ));
System::Console::WriteLine( String::Format(“GetThreadStartAddress failed: {0}”, dwInitializeError ));
}

const int kMaxNameLength = 256;
ULONG64 buffer[(sizeof(SYMBOL_INFO) + kMaxNameLength * sizeof(wchar_t) + sizeof(ULONG64) - 1) / sizeof(ULONG64)];
memset(buffer, 0, sizeof(buffer));

// Initialize symbol information retrieval structures.
DWORD64 sym_displacement = 0;
PSYMBOL_INFO symbol = reinterpret_cast(&buffer[0]);
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
symbol->MaxNameLen = kMaxNameLength – 1;
if( SymFromAddr(hProcessHandle, (DWORD64)dwStartAddress, &sym_displacement, symbol ))
{
System::String^ name = gcnew System::String( symbol->Name );
if( name->Equals( this->symbolName ))
{
System::Diagnostics::Debug::WriteLine( String::Format(“Found thread with ModuleName: {0}”, name ));
System::Console::WriteLine( String::Format(“Found thread with ModuleName: {0}”, name ));
return true;
}
}
else
{
dwInitializeError = Marshal::GetLastWin32Error();
System::Diagnostics::Debug::WriteLine( String::Format(“SymFromAddr failed for address {0}: {1}”, dwStartAddress, dwInitializeError ));
System::Console::WriteLine( String::Format(“SymFromAddr failed: {0}”, dwStartAddress, dwInitializeError ));
}
return false;
}
bool DbgHelpWrapper::GetThreadStartAddress( HANDLE hProcessHandle, DWORD processId, DWORD threadID, LPVOID dwStartAddress )
{
// Get ntdll entry points.
HMODULE ntDLLHandle = LoadLibrary(L”ntdll.dll”);
tNtQueryInformationThread NtQueryInformationThread = (tNtQueryInformationThread)GetProcAddress(ntDLLHandle, “NtQueryInformationThread”);

// Open thread with wrong access rights.
//HANDLE hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processId );
HANDLE hRemoteThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, threadID);

if (hRemoteThread != 0 /*&& hRemoteProcess != 0*/ )
{
try
{
// Duplicate handle to get correct access rights.
HANDLE temporaryHandle = 0;
DWORD duplicateHandleResult = DuplicateHandle(GetCurrentProcess(), hRemoteThread, GetCurrentProcess(),
&temporaryHandle, THREAD_QUERY_INFORMATION, FALSE, 0 );
System::Diagnostics::Debug::WriteLine( String::Format(“DuplicateHandle returned {0}”, duplicateHandleResult ));
System::Console::WriteLine( String::Format(“DuplicateHandle returned {0}”, duplicateHandleResult ));
System::Console::WriteLine( String::Format(“DuplicateHandle error {0}”, Marshal::GetLastWin32Error()));
if (duplicateHandleResult != 0 )
{
try
{
DWORD ntStatus = NtQueryInformationThread(temporaryHandle, ThreadQuerySetWin32StartAddress, dwStartAddress, sizeof(LPVOID), NULL);
System::Diagnostics::Debug::WriteLine( String::Format(“NtQueryInformationThread returned {0}”, ntStatus ));
System::Console::WriteLine( String::Format(“NtQueryInformationThread returned {0}”, ntStatus ));
if (ntStatus == 0)
{
System::Diagnostics::Debug::WriteLine( String::Format(“StartAddress: {0:X8}”, (DWORD)dwStartAddress ));
System::Console::WriteLine( String::Format(“StartAddress: {0:X8}”, (DWORD)dwStartAddress ));
return true;
}
else
{
System::Console::WriteLine( String::Format(“Cannot query the thread information. NtQueryInformationThread error {0}”, Marshal::GetLastWin32Error()));
System::Diagnostics::Debug::WriteLine( String::Format(“Cannot query the thread information. NtQueryInformationThread error {0}”, Marshal::GetLastWin32Error()));
return false;
}
}
finally
{
CloseHandle(temporaryHandle);
}
}
else
{
System::Diagnostics::Debug::WriteLine( String::Format(“Cannot duplicate the thread handle to THREAD_QUERY_INFORMATION rights”));
System::Console::WriteLine( String::Format(“Cannot duplicate the thread handle to THREAD_QUERY_INFORMATION rights”));
return false;
}
}
finally
{
// Cleanup
CloseHandle(hRemoteThread);
}
}
else
{
System::Diagnostics::Debug::WriteLine( String::Format(“Cannot open the thread with THREAD_SUSPEND_RESUME rights”));
System::Console::WriteLine( String::Format(“Cannot open the thread with THREAD_SUSPEND_RESUME rights”));
return FALSE;
}
}

Download ThreadKiller.zip



Viewing all articles
Browse latest Browse all 6

Latest Images

Trending Articles





Latest Images