OHPen
August 17th, 2008, 06:12
Oi,
I still have problems return control to the entry point of the application after i did all the necessay stuff in my dll.
What i did so far is:
- nucleus.exe loads a nucleus_dll.dll in the process of a selected target by allocating memory in target process, searching for kernel32/loadlibrary and call it with nucleus_dll.dll name.
- right after loading the dll i create an event in nucleus.exe and use WaitForSingleObject to set the appropriate state. nucleus.exe is now wait for an "Global\NUCLEUS_DLL_EVENT".
- also at the same time the dll gained controll via DLL_PROCESS_ATTACH where i parse a XML file to get entry_point and imagebase of the target.
nothing more i actually do!
- then i use OpenEvent and PulseEvent to signal the Event in nucleus.exe
- i do the same with CreateEvent and WaitForSingleObject in the dll with the Event "Global\NUCLEUS_DLL_REMOTE_EVENT". DLL_PROCESS_ATTACH is now waiting for the Event "Global\NUCLEUS_DLL_REMOTE_EVENT".
- also in the same time the control is passed back to nucleus dll right after the WaitForSingleObject because the event "Global\NUCLEUS_DLL_EVENT" was signaled. to proove it i simple show a messagebox.
- the last thing i do is Suspend the target thread. use setthreadcontext to set eip to original ep (imagebase + ep) and resume thread.
And here is the problem.
I assembled an 0xCC at the ep to check whether the target is crashing or not but after calling the last time ResumeThread for the target nothing happens. Is it possible to set the thread context of a thread while the thread is in waiting state ? i also tried to set the threadcontext and then triggering the event "Global\NUCLEUS_DLL_REMOTE_EVENT", also didn't work.
Can someone point me the right direction ?
Regards,
OHPen
I still have problems return control to the entry point of the application after i did all the necessay stuff in my dll.
What i did so far is:
- nucleus.exe loads a nucleus_dll.dll in the process of a selected target by allocating memory in target process, searching for kernel32/loadlibrary and call it with nucleus_dll.dll name.
- right after loading the dll i create an event in nucleus.exe and use WaitForSingleObject to set the appropriate state. nucleus.exe is now wait for an "Global\NUCLEUS_DLL_EVENT".
- also at the same time the dll gained controll via DLL_PROCESS_ATTACH where i parse a XML file to get entry_point and imagebase of the target.
nothing more i actually do!
- then i use OpenEvent and PulseEvent to signal the Event in nucleus.exe
- i do the same with CreateEvent and WaitForSingleObject in the dll with the Event "Global\NUCLEUS_DLL_REMOTE_EVENT". DLL_PROCESS_ATTACH is now waiting for the Event "Global\NUCLEUS_DLL_REMOTE_EVENT".
- also in the same time the control is passed back to nucleus dll right after the WaitForSingleObject because the event "Global\NUCLEUS_DLL_EVENT" was signaled. to proove it i simple show a messagebox.
- the last thing i do is Suspend the target thread. use setthreadcontext to set eip to original ep (imagebase + ep) and resume thread.
And here is the problem.
I assembled an 0xCC at the ep to check whether the target is crashing or not but after calling the last time ResumeThread for the target nothing happens. Is it possible to set the thread context of a thread while the thread is in waiting state ? i also tried to set the threadcontext and then triggering the event "Global\NUCLEUS_DLL_REMOTE_EVENT", also didn't work.
Can someone point me the right direction ?
Regards,
OHPen