Results 1 to 2 of 2

Thread: ResumeThread & WaitForSingleObject in combination leads to a problem...

  1. #1
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5

    ResumeThread & WaitForSingleObject in combination leads to a problem...

    Oi,

    I still have problems return control to the entry point of the application after i did all the necessay stuff in my dll.

    What i did so far is:

    - nucleus.exe loads a nucleus_dll.dll in the process of a selected target by allocating memory in target process, searching for kernel32/loadlibrary and call it with nucleus_dll.dll name.

    - right after loading the dll i create an event in nucleus.exe and use WaitForSingleObject to set the appropriate state. nucleus.exe is now wait for an "Global\NUCLEUS_DLL_EVENT".

    - also at the same time the dll gained controll via DLL_PROCESS_ATTACH where i parse a XML file to get entry_point and imagebase of the target.
    nothing more i actually do!

    - then i use OpenEvent and PulseEvent to signal the Event in nucleus.exe

    - i do the same with CreateEvent and WaitForSingleObject in the dll with the Event "Global\NUCLEUS_DLL_REMOTE_EVENT". DLL_PROCESS_ATTACH is now waiting for the Event "Global\NUCLEUS_DLL_REMOTE_EVENT".

    - also in the same time the control is passed back to nucleus dll right after the WaitForSingleObject because the event "Global\NUCLEUS_DLL_EVENT" was signaled. to proove it i simple show a messagebox.

    - the last thing i do is Suspend the target thread. use setthreadcontext to set eip to original ep (imagebase + ep) and resume thread.


    And here is the problem.
    I assembled an 0xCC at the ep to check whether the target is crashing or not but after calling the last time ResumeThread for the target nothing happens. Is it possible to set the thread context of a thread while the thread is in waiting state ? i also tried to set the threadcontext and then triggering the event "Global\NUCLEUS_DLL_REMOTE_EVENT", also didn't work.

    Can someone point me the right direction ?

    Regards,

    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Problem solved. I found a workaround. I simple transfer control to entry point from the dll directly.

    Regards,

    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

Similar Threads

  1. Break on ResumeThread
    By NeonFlash in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: September 23rd, 2013, 16:34
  2. Replies: 10
    Last Post: April 8th, 2008, 00:54
  3. set a BP on ResumeThread?
    By HEAT84 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: May 4th, 2005, 07:23
  4. Changing the key combination to invoke SI
    By tdennist in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: October 16th, 2004, 22:22
  5. Thanks +Tsehp, problem solve Isp problem :)
    By esther in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: October 28th, 2000, 07:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •