CreateRemoteThreadEx and NtCreateThreadEx fails

0

I'm currently trying to implement a Process Evasion method named Process Doppelgänging in Rust.

I've successfully created the NTFS transaction, the process, I've written the new parameters in the PEB of the process but I can't create the main thread.

When I attempt to create the main thread my program crash.

When I use NtCreateThreadEx the function returns 0xC0000022 (STATUS_ACCESS_DENIED).

(I created the process with the PROCESS_ALL_ACCESS constant and I'm running as administrator).

ntstatus = NtCreateThreadEx(
    &mut thread,
    THREAD_ALL_ACCESS,
    null_mut(),
    process,
    transmute::<u64, *mut c_void>(va_entrypoint),
    null_mut(),
    0, 0, 0, 0,
    null_mut()
);

And when I use CreateRemoteThreadEx the program (my program not the created process) crash with error 0xC0000005 (STATUS_ACCESS_VIOLATION).

let thread = CreateRemoteThreadEx(
    process,
    THREAD_ALL_ACCESS,
    0,
    transmute::<u64, *mut c_void>(va_entrypoint),
    null_mut(),
    0,
    null_mut(), &mut id
);

The va_entrypoint variable is equal to the ImageBaseAddress from the PEB of the created process + the AddressOfEntryPoint from the Optional Headers of the PE file that I loaded in memory.

I checked if the process is running and it's running, but I can only recognize it by it's PID in tasklist.exe output because the program doesn't have any name...

I guess it's normal because I didn't created the main thread, but I'm not sure as well.

I manually checked the address of the PEB, the Image Base address etc...With some process analysis tools and everything is ok.

I think I'm missing something when I'm trying to create the main thread — when I try to create the main thread, the process actually dies.

winapi
process
rust
asked on Stack Overflow Jan 14, 2020 by Aleister Crowley • edited Jan 15, 2020 by Shepmaster

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0