Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: Does someone knows how to emulate CreateRemoteThread on win9x ?

  1. #1
    tsehp
    Guest

    Does someone knows how to emulate CreateRemoteThread on win9x ?

    hi,
    I'm not talking about installing some code into an already existing thread for a win9x process, because the thread I have to create will be killed after I use it for the iat rebuilder tracer.
    If someone have info about this, thanks to mail me or write it on the msgboard.
    TIA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Alexey Solodovnikov
    Guest
    Hi +Tsehp,
    As I saw you work ever in Christmas time That's great!

    Marry Christmas and Happy New Year, man. And good luck to
    you and your IAT rebuilder
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Lord Soth
    Guest
    Hiya +tsehp,

    The way I see it, you basically only have
    two options. The one is to somehow inject
    code into the process space (temporarily),
    that will call CreateThread itself, which will create a new thread for the process itself.
    Then you really wouldn't care about the
    changes you made to the code (or if you do
    care, you can restore it..).
    For all purposed intended, I think a new
    thread would serve you right.
    The other option would be to somehow use
    internal kernel functions and structures
    to allocate another thread block for the
    process space. I'm not certain there is any
    place you can find such information. I don't
    remember seeing such a thing at pietriek's.
    However, with some reversing, you might be
    able to figure out how createprocess does
    the magic, and try to perform it yourself.
    I know it's a lot of work, but if you REALLY
    need this, you might think about putting
    the time for it.
    This is a daunting project. Of course this
    is not just allocation of memory and stuff.
    You have to have a TCB, msg queue, stack
    area, what not. You even have to somehow
    notify vmm32 of your new thread.
    Don't ask me how, that's as far as my knowledge goes

    cya buddy
    good luck
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Lord Soth
    Guest
    > However, with some reversing, you might be
    > able to figure out how createprocess does
    > the magic, and try to perform it yourself.

    That should've been CreateThread.
    Oops :-)

    LS
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Morlac
    Guest
    Hi all,

    +Tsehp, i cant say that i understand why you want to emulate the function. I checked the msdn i have and it says that CreateRemoteThread() is available for Win98 or later.
    Check this out( from the MSDN):
    QuickInfo
    Windows: Requires Windows 98 or later.
    Windows CE: Unsupported.
    Header: Declared in winbase.h.
    Import Library: Use kernel32.lib.

    Perhaps i dont understand.
    Regards,
    Morlac.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    tsehp
    Guest
    Alexey Solodovnikov (12-24-2000 03:25):
    Hi +Tsehp,
    As I saw you work ever in Christmas time That's great!

    Marry Christmas and Happy New Year, man. And good luck to
    you and your IAT rebuilder
    Hi alex, If I worked that christmas evening I would say that my app would be more than damaged, anyway I have a little text file for you,
    generated from AZPR latest version , included for download.

    Have a good work on next asprotect version

    Merry christmas
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    tsehp
    Guest
    Lord Soth (12-24-2000 09:25):
    > However, with some reversing, you might be
    > able to figure out how createprocess does
    > the magic, and try to perform it yourself.

    That should've been CreateThread.
    Oops :-)

    LS
    Hi lord, thanks for your reply, I've found another way to do it, if you ask me by mail I'll tell you if the solution works, will be trying today.
    merry christmas.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    tsehp
    Guest
    Morlac (12-24-2000 10:04):
    Hi all,

    +Tsehp, i cant say that i understand why you want to emulate the function. I checked the msdn i have and it says that CreateRemoteThread() is available for Win98 or later.
    Check this out( from the MSDN):
    QuickInfo
    Windows: Requires Windows 98 or later.
    Windows CE: Unsupported.
    Header: Declared in winbase.h.
    Import Library: Use kernel32.lib.

    Perhaps i dont understand.
    Regards,
    Morlac.
    I don't understand me too, because I've already found what you say, and I found also some other msdn links that say the opposite, just look at this, extracted from :http://msdn.microsoft.com/library/default.asp
    at the end :
    Requirements
    Windows NT/2000: Requires Windows NT 3.1 or later.
    Windows 95/98: Unsupported.
    Header: Declared in Winbase.h; include Windows.h.
    Library: Use Kernel32.lib.

    A guy said that this api is used in office 2000, I'll check with softice,
    otherwise I already have a kind of solution, when I'll be finished the app will be sent to beta testers.
    best regards,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Predator [PC/pGC]
    Guest
    Hey Alexey ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Erovin
    Guest
    My last 3 MSDN kits have stated clearly that CreateRemoteThread is UNSUPPORTED on Win95 and Win98. I needed the same thing for a trainer I made. I wanted my thread to run in the same process space as the game. I spent a lot of time and the only satisfactory thing I found was to use SetWindowsHookEx with WH_GETMESSAGE. With this I could send messages to the app and have my own code get access to the entire memory space of the process.

    There are 2 drawbacks with this approach: (1) it requires some fancy DLL manipulations and (2) if the app is not a "real" Windoze app with a message loop and a window procedure then it won't work at all.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    tsehp
    Guest
    yes you're right.
    I tried another way :
    createprocess and get the primary hThread, freeze it and change it's context for my injected code with writeprocessmemory, sometimes it works sometimes not, if the threads eip is too low, I just crash it, no way to allocate more mem from another process to inject my code elsewhere and have plenty of space for my tracer dll. I'm waiting for a final answer from the Owl and then maybe give up the win9x port of my tool. It's plenty working on win2k, such a shame but I'm afraid that this iat rebuilder will be available only on this system with the tracing feature Maybe someone have another idea, who knows ?

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    tsehp
    Guest
    Lord Soth (12-24-2000 09:22):
    Hiya +tsehp,

    The way I see it, you basically only have
    two options. The one is to somehow inject
    code into the process space (temporarily),
    that will call CreateThread itself, which will create a new thread for the process itself.
    I'd like to, but I have to use the app's primary thread to do it, and if it doesn't have some free space, I just crush it's code and damage it.
    Even if I manage to create another thread, I can't get back it's handle for my main app in another process to copy my dll... So I'm oblidged to use the main thread, if there's not enough mem allocated for it for my dll (about 5 mem pages) I'm just blocked on this. So much simple and stable on win2k / nt4
    too bad
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    kill3xx
    Guest
    +Tsehp (12-25-2000 06:46):
    yes you're right.
    I tried another way :
    createprocess and get the primary hThread, freeze it and change it's context for my injected code with writeprocessmemory, sometimes it
    ....
    +Tsehp
    without undocumented/exotics solution.. this one works fine for me..

    1) put your createthread, etc, stuff in a MMF with bInheritHandle=true
    + some signiling/syncronization code (events,etc..)
    + restore EP code
    2) setup a small stub that'll do :
    a) MapViewOfFile (inheritable handle)
    b) save registers, etc..
    c) jmp into ur code

    3) createprocess + CREATE_SUSPENDED + bInheritHandles=true
    4) ReadProcessMemory to the original EP code into the MMF
    5) WriteProcessMemory to overwrite the EP with your stub
    6) ResumeThread
    wait on hThread and syncronization objs to signaling u that all is ok.. a side bonus is that the MMF is also suitable for IPC (u can save ur listener thread/window handle, etc..)

    merry xmas,

    kill3xx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    garph0
    Guest
    I wrote a proggie just like kill3xx says... do you remember my injector threads ?
    it works fine, if you want it drop me a line

    regards

    garph0
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    garph0
    Guest
    uh, it works well also with a running target

    garph0
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. DLL injection via CreateRemoteThread
    By Ring3 Circus in forum Blogs Forum
    Replies: 0
    Last Post: December 5th, 2007, 16:45
  2. wibu emulate
    By asteri in forum The Newbie Forum
    Replies: 6
    Last Post: November 10th, 2006, 10:27
  3. Problem to emulate SproQuery
    By nasty in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: June 1st, 2004, 09:52
  4. VirtualAllocEx equivalent on win9x?
    By doug in forum The Newbie Forum
    Replies: 3
    Last Post: May 29th, 2004, 00:15
  5. CreateRemoteThread and VB apps!
    By Nad_Af in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: March 27th, 2004, 13:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •