PDA

View Full Version : Alternative Create Remote Thread



xedi25
06-23-2014, 12:56 AM
Hi,

I have wrote this function 2-3 years ago when I was reverse engineering a malware which used this kind of technique:

This project is a example of of creating a remote thread into a process without using WriteProcessMemory like others techniques. We will drop a DLL named "API32.DLL" to "C:\WINDOWS\" and create a new thread to the process where we want to load the DLL. In the remote process we will execute LoadLibraryA with a pointer to the string API32.DLL as the first parameter, by using CreateRemoteThread..

If you want to know exactly how it works just check the code out.

Example of usage:


int _tmain(int argc, _TCHAR* argv[])
{
//
// API32.DLL is the DLL we will inject. Why API32.DLL? Because this string is already in EXPLORER.EXE ( Windows XP SP3 ): ADVAPI32.DLL
//
// first you must drop your DLL to the right directory, e.g:
//
// DropDLL( "C:\\WINDOWS\\API32.DLL" );
//
// and later you can run this Code:
//
if ( !SetDebugPrivileges() )
printf( "Warning: NO DEBUG PRIVILEGES!\n" );

printf( "Userland RemoteLoadLibrary: " );
if ( RemoteLoadLibraryUserland( L"explorer.exe", "API32.DLL" ) )
{
printf( "INJECTED\n" );
Sleep( 2 * 1000 );

printf( "Unloading DLL: " );
if ( RemoteFreeLibrary( L"explorer.exe", L"API32.DLL" ) )
{
Sleep( 2 * 1000 );
printf( "DLL UNLOADED!\n" );
}
else
{
printf( "FAILED!\n" );
}
}
else
{
printf( "FAILED\n" );
}

return 0;
}



You can find the whole source at my github account: https://github.com/edix/AlternativeCreateRemoteThread-public