CreateRemoteThreat Problem

06/14/2011 21:29 RunzelEier#1

Hi,
i injected a own function into the memory scope of a process and want to call this procedure with CreateRemoteThreat.

I Allocated some Memory with access protection EXECUTE_READWRITE and binary wrote the function into the allocated memory.
this is how my injected function looks like:
[Only registered and activated users can see links. Click Here To Register...]
But if i call my function with CreateRemoteThreat i get a access violation.

if you have a clue what i do wrong please help me

06/14/2011 21:37 xNopex#2

EDIT: crap... I'm sorry :-/

EDIT2: I've looked over this piece of code again and again and the only possible mistake for me is that you have set the wrong address at your call (line 5). Maybe you can try to set a breakpoint at the beginning of your function in Olly and then have a look when the programm crashes or throws an error. Then you know the location which causes the crash. I guess (hope) it is the call...

06/17/2011 12:56 RunzelEier#3

no it is not the call.
the call is correct.
but i dont even get to the call

i get the access violation when trying to access my allocated memory, although i used EXECUTE_READWRITE.

06/17/2011 17:31 MrSm!th#4

CreateRemoteThread wants a function defined as
DWORD (__stdcall *)(LPVOID)

your code (which should be the thread entry point if i understood you right) doesnt save the registers like a __stdcall function does it and you use RETN, instead of RET 4 (which you should use since a thread has one parameter and you have to remove the stack allocation for it)

your code should look like that:

Code:

push ebp
mov ebp, esp
push 5
push 0B110000
push 24D78E88
CALL 006EC051
mov esp, ebp
pop ebp
RET 4

additionally, it is important which calling convention the function you are calling has.
if it has __stdcall, the code will work like that, but if it has __cdecl you have to remove the parameters from the stack after the call!

in this case, use:

Code:

push ebp
mov ebp, esp
push 5
push 0B110000
push 24D78E88
CALL 006EC051
sub esp, 0C
mov esp, ebp
pop ebp
RET 4

06/17/2011 18:59 RunzelEier#5

my injected function now looks like this:

Code:

PUSH EBP
MOV EBP,ESP
PUSH 5
PUSH 30C0000
PUSH 24D759C8
CALL 006EC050
MOV ESP,EBP
POP EBP
RETN 4

but i still get an access violation when executing my allocated memory

06/17/2011 23:00 MrSm!th#6

could you please show your injection code? how do you allocate and write it?

06/18/2011 01:16 RunzelEier#7

here the code

should have the needed access rights if im right

06/18/2011 10:07 xNopex#8

Code:

CreateRemoteThread($hProcess[1],0,0,$function, 0, 0, 0)
_MemVirtualFreeEx($hProcess[1],$function,6+UBound($Parameter)*5,$MEM_DECOMMIT )

Here is your mistake I think. You mustn't free the allocated memory after creating the thread. The created thread runs independently from the main thread. In order to achieve multitasking, 'CreateRemoteThread' is not a blocking call. As a result you are trying to free your allocated memory before the created thread has finished executing. So you have to ensure that your thread has done its job before you want to free the memory.

06/18/2011 12:33 MrSm!th#9

Yes, i made this mistake before, too.

You have to wait untill the thread has finished execution. Do this with WaitForSingleObject.
After that you can free the memory.

06/18/2011 12:59 RunzelEier#10

yeah this was my probelm.
now everything works fine. :)

PacketHack in AutoIt xD