CreateRemoteThreat Problem

[RunzelEier]

Hi,
i injected a own function into the memory scope of a process and want to call this procedure with CreateRemoteThreat.

I Allocated some Memory with access protection EXECUTE_READWRITE and binary wrote the function into the allocated memory.
this is how my injected function looks like:

But if i call my function with CreateRemoteThreat i get a access violation.

if you have a clue what i do wrong please help me

[xNopex]

EDIT: ****... I'm sorry :-/

EDIT2: I've looked over this piece of code again and again and the only possible mistake for me is that you have set the wrong address at your call (line 5). Maybe you can try to set a breakpoint at the beginning of your function in Olly and then have a look when the programm crashes or throws an error. Then you know the location which causes the crash. I guess (hope) it is the call...

[RunzelEier]

no it is not the call.
the call is correct.
but i dont even get to the call

i get the access violation when trying to access my allocated memory, although i used EXECUTE_READWRITE.

[MrSm!th]

CreateRemoteThread wants a function defined as
DWORD (__stdcall *)(LPVOID)

your code (which should be the thread entry point if i understood you right) doesnt save the registers like a __stdcall function does it and you use RETN, instead of RET 4 (which you should use since a thread has one parameter and you have to remove the stack allocation for it)

your code should look like that:

Code:

push ebp
mov ebp, esp
push 5
push 0B110000
push 24D78E88
CALL 006EC051
mov esp, ebp
pop ebp
RET 4

additionally, it is important which calling convention the function you are calling has.
if it has __stdcall, the code will work like that, but if it has __cdecl you have to remove the parameters from the stack after the call!

in this case, use:

Code:

push ebp
mov ebp, esp
push 5
push 0B110000
push 24D78E88
CALL 006EC051
sub esp, 0C
mov esp, ebp
pop ebp
RET 4

[RunzelEier]

my injected function now looks like this:

Code:

PUSH EBP
MOV EBP,ESP
PUSH 5
PUSH 30C0000
PUSH 24D759C8
CALL 006EC050
MOV ESP,EBP
POP EBP
RETN 4

but i still get an access violation when executing my allocated memory

[MrSm!th]

could you please show your injection code? how do you allocate and write it?

[RunzelEier]

here the code

should have the needed access rights if im right

[xNopex]

Code:

CreateRemoteThread($hProcess[1],0,0,$function, 0, 0, 0)
_MemVirtualFreeEx($hProcess[1],$function,6+UBound($Parameter)*5,$MEM_DECOMMIT )

Here is your mistake I think. You mustn't free the allocated memory after creating the thread. The created thread runs independently from the main thread. In order to achieve multitasking, 'CreateRemoteThread' is not a blocking call. As a result you are trying to free your allocated memory before the created thread has finished executing. So you have to ensure that your thread has done its job before you want to free the memory.

[MrSm!th]

Yes, i made this mistake before, too.

You have to wait untill the thread has finished execution. Do this with WaitForSingleObject.
After that you can free the memory.

[RunzelEier]

yeah this was my probelm.
now everything works fine.

PacketHack in AutoIt xD