Last active
June 16, 2025 13:27
-
-
Save kawaii-ghost/ce0534f2bea88beae4a22159de9f9866 to your computer and use it in GitHub Desktop.
Keyed Event demonstration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <cstdio> | |
| #include <Veil.h> | |
| NTSTATUS NTAPI print(PVOID arg); | |
| #define NTHREAD 8 | |
| struct _THREAD_ARG { | |
| LONG volatile g_Counter; | |
| HANDLE KeyedEvent; | |
| } typedef THREAD_ARG; | |
| int main() | |
| { | |
| THREAD_ARG ThreadArg = {.g_Counter = 0}; | |
| NtCreateKeyedEvent(&ThreadArg.KeyedEvent, KEYEDEVENT_WAKE | KEYEDEVENT_WAIT, nullptr, 0); | |
| for (size_t i = 0; i < NTHREAD; i++) { | |
| PTEB Teb; | |
| PS_ATTRIBUTE_LIST AttrList | |
| { | |
| sizeof(AttrList), | |
| {{.Attribute = PsAttributeTebAddress | PS_ATTRIBUTE_THREAD, .Size = sizeof(Teb), .ValuePtr = &Teb}} | |
| }; | |
| InterlockedIncrement(&ThreadArg.g_Counter); | |
| HANDLE Thread; | |
| NtCreateThreadEx(&Thread, | |
| STANDARD_RIGHTS_REQUIRED, | |
| nullptr, | |
| NtCurrentProcess(), | |
| print, | |
| (PVOID)&ThreadArg, | |
| THREAD_CREATE_FLAGS_NONE, | |
| 0, | |
| 0, | |
| 0, | |
| &AttrList); | |
| Teb->DbgSsReserved[1] = Thread; | |
| } | |
| while (ThreadArg.g_counter != 0) | |
| NtWaitForKeyedEvent(ThreadArg.KeyedEvent, (PVOID)0x2, FALSE, nullptr); | |
| NtClose(ThreadArg.KeyedEvent); | |
| } | |
| NTSTATUS NTAPI print(LPVOID arg) | |
| { | |
| THREAD_ARG *ThreadArg = (THREAD_ARG *)arg; | |
| DWORD Tid = HandleToUlong(NtCurrentTeb()->ClientId.UniqueThread); | |
| printf("Hello from thread %ld\n", Tid); | |
| LARGE_INTEGER Time = {.QuadPart = 1 * 1000 * -10000LL}; | |
| RtlDelayExecution(FALSE, &Time); | |
| printf("Goodbye thread %ld\n", Tid); | |
| if (InterlockedDecrement(&ThreadArg->g_Counter) == 0) { | |
| NtReleaseKeyedEvent(ThreadArg->KeyedEvent, (PVOID)0x2, FALSE, nullptr); | |
| } | |
| return STATUS_SUCCESS; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <cstdio> | |
| #include <Veil.h> | |
| NTSTATUS NTAPI print(PVOID arg); | |
| #define NTHREAD 8 | |
| struct _THREAD_ARG { | |
| LONG volatile KeyValue; | |
| HANDLE KeyedEvent; | |
| } typedef THREAD_ARG; | |
| int main() | |
| { | |
| THREAD_ARG ThreadArg = {.KeyValue = 0}; | |
| NtCreateKeyedEvent(&ThreadArg.KeyedEvent, KEYEDEVENT_WAKE | KEYEDEVENT_WAIT, nullptr, 0); | |
| for (size_t i = 0; i < NTHREAD; i++) { | |
| PTEB Teb; | |
| PS_ATTRIBUTE_LIST AttrList | |
| { | |
| sizeof(AttrList), | |
| {{.Attribute = PsAttributeTebAddress | PS_ATTRIBUTE_THREAD, .Size = sizeof(Teb), .ValuePtr = &Teb}} | |
| }; | |
| HANDLE Thread; | |
| NtCreateThreadEx(&Thread, | |
| STANDARD_RIGHTS_REQUIRED, | |
| nullptr, | |
| NtCurrentProcess(), | |
| print, | |
| (PVOID)&ThreadArg, | |
| THREAD_CREATE_FLAGS_NONE, | |
| 0, | |
| 0, | |
| 0, | |
| &AttrList); | |
| Teb->DbgSsReserved[1] = Thread; | |
| } | |
| for (size_t Key = 16; Key > 0; Key -= 2) { | |
| NtWaitForKeyedEvent(ThreadArg.KeyedEvent, (PVOID)Key, FALSE, nullptr); | |
| } | |
| NtClose(ThreadArg.KeyedEvent); | |
| } | |
| NTSTATUS NTAPI print(LPVOID arg) | |
| { | |
| THREAD_ARG *ThreadArg = (THREAD_ARG *)arg; | |
| DWORD Tid = HandleToUlong(NtCurrentTeb()->ClientId.UniqueThread); | |
| printf("Hello from thread %ld\n", Tid); | |
| LARGE_INTEGER Time = {.QuadPart = 1 * 1000 * -10000LL}; | |
| RtlDelayExecution(FALSE, &Time); | |
| printf("Goodbye thread %ld\n", Tid); | |
| NtReleaseKeyedEvent(ThreadArg->KeyedEvent, (PVOID)InterlockedAdd(&ThreadArg->KeyValue, 2), FALSE, nullptr); | |
| return STATUS_SUCCESS; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment