I'm currently trying to implement a Process Evasion method named Process Doppelgänging in Rust.
I've successfully created the NTFS transaction, the process, I've written the new parameters in the PEB of the process but I can't create the main thread.
When I attempt to create the main thread my program crash.
When I use
NtCreateThreadEx the function returns 0xC0000022 (STATUS_ACCESS_DENIED).
(I created the process with the
PROCESS_ALL_ACCESS constant and I'm running as administrator).
ntstatus = NtCreateThreadEx( &mut thread, THREAD_ALL_ACCESS, null_mut(), process, transmute::<u64, *mut c_void>(va_entrypoint), null_mut(), 0, 0, 0, 0, null_mut() );
And when I use
CreateRemoteThreadEx the program (my program not the created process) crash with error 0xC0000005 (STATUS_ACCESS_VIOLATION).
let thread = CreateRemoteThreadEx( process, THREAD_ALL_ACCESS, 0, transmute::<u64, *mut c_void>(va_entrypoint), null_mut(), 0, null_mut(), &mut id );
va_entrypoint variable is equal to the
ImageBaseAddress from the PEB of the created process + the
AddressOfEntryPoint from the Optional Headers of the PE file that I loaded in memory.
I checked if the process is running and it's running, but I can only recognize it by it's
tasklist.exe output because the program doesn't have any name...
I guess it's normal because I didn't created the main thread, but I'm not sure as well.
I manually checked the address of the PEB, the Image Base address etc...With some process analysis tools and everything is ok.
I think I'm missing something when I'm trying to create the main thread — when I try to create the main thread, the process actually dies.
User contributions licensed under CC BY-SA 3.0