Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support remote thread execution? #35

Open
VoldeSec opened this issue Mar 19, 2023 · 8 comments
Open

Support remote thread execution? #35

VoldeSec opened this issue Mar 19, 2023 · 8 comments
Labels
question Further information is requested

Comments

@VoldeSec
Copy link

Let say if I inject the shellcode to remote process DLL. May I know if i can execute it using CreateRemoteThread? I tired but the remote process crashed immediately. Thanks!
@hasherezade
Copy link
Owner

Hi @VoldeSec !
First of all I need to know more details to investigate what could possibly have cause it.

  • Did your converted shellcode worked when you try to run it with the runshc32/64 application?
  • What did you use for making the injection, did you try injector32/64 from the package? BTW, it uses CreateRemoteThread :

    pe_to_shellcode/injector/main.cpp

    Line 47 in 0f60692

    if ((hMyThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remote_buf, NULL, 0, &threadId)) == NULL) {
  • What flags were set on the process into which you tried the injection?
  • Are you 100% sure that the process and the payload had the same bitness?

@VoldeSec
Copy link
Author

Thanks @hasherezade ,

  1. Yes tried with runshc and it works perfectly fine.
  2. I am trying the module stomping, referenced to your another project "module_overloading". (already get rid of CFG). I will take a look on the injector and compare the difference.
  3. I am using the same flag with you above and input the implant entrypoint to the LPTHREAD_START_ROUTINE . But the process still failed to execute and crashed. Do i
  4. I already checked the memory and the payload had the exact same bitness in the target process e.g. calc.exe
    Thank you again for your prompt response!

@hasherezade
Copy link
Owner

@VoldeSec - does it work if you try to inject the same shellcode to the same process, but using injector32/64 (from the pe2shc release package)?

@VoldeSec
Copy link
Author

@hasherezade Yes, it works by using the injector to inject (e.g. calc.exe and other PE to output file for PoC) remote process (i.e. cmd.exe)

@hasherezade
Copy link
Owner

I see, so if the shellcode works, and it can be injected with the original injector, then it seems to be a problem with your replacement injector. BTW, using module_overloading method for shellcode injection sounds odd, but I will need to analyze your code to really know what happens there.

@VoldeSec
Copy link
Author

I have invited you in wire for further discussion. I am glad if you have time to give recommendation on the code.
Thanks!

@hasherezade
Copy link
Owner

ok, I accepted your invite. Let's talk on Wire.

@hasherezade hasherezade added the question Further information is requested label Mar 20, 2023
@bird00101011
Copy link

休眠远程线程

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hasherezade @VoldeSec @bird00101011