I'm currently trying to implement a Process Evasion method named Process Doppelgänging in Rust.
I've successfully created the NTFS transaction, the process, I've written the new parameters in the PEB of the process but I can't create the main thread.
When I attempt to create the main thread my program crash.
When I use NtCreateThreadEx
the function returns 0xC0000022 (STATUS_ACCESS_DENIED).
(I created the process with the PROCESS_ALL_ACCESS
constant and I'm running as administrator).
ntstatus = NtCreateThreadEx(
&mut thread,
THREAD_ALL_ACCESS,
null_mut(),
process,
transmute::<u64, *mut c_void>(va_entrypoint),
null_mut(),
0, 0, 0, 0,
null_mut()
);
And when I use CreateRemoteThreadEx
the program (my program not the created process) crash with error 0xC0000005 (STATUS_ACCESS_VIOLATION).
let thread = CreateRemoteThreadEx(
process,
THREAD_ALL_ACCESS,
0,
transmute::<u64, *mut c_void>(va_entrypoint),
null_mut(),
0,
null_mut(), &mut id
);
The va_entrypoint
variable is equal to the ImageBaseAddress
from the PEB of the created process + the AddressOfEntryPoint
from the Optional Headers of the PE file that I loaded in memory.
I checked if the process is running and it's running, but I can only recognize it by it's PID
in tasklist.exe
output because the program doesn't have any name...
I guess it's normal because I didn't created the main thread, but I'm not sure as well.
I manually checked the address of the PEB, the Image Base address etc...With some process analysis tools and everything is ok.
I think I'm missing something when I'm trying to create the main thread — when I try to create the main thread, the process actually dies.
User contributions licensed under CC BY-SA 3.0