Thread: CreateRemoteThread in suspended app problem

Hello everyone. This is my code:

Code:

int main ()
{
     STARTUPINFO si;
     PROCESS_INFORMATION pi;
     char* cl;
     char fileName[]="target.exe";
     ZeroMemory (&si,sizeof(si));
     si.cb=sizeof(si);
     cl=GetCommandLine();
     if (CreateProcess (&fileName,cl,NULL,NULL,FALSE,CREATE_SUSPENDED, NULL,NULL,&si,&pi))
     {
           HANDLE hToken;
           TOKEN_PRIVILEGES tp;
           LUID luid;
            if (!OpenProcessToken(pi.hProcess,TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken))
            {                                           
                return;
            }
            else{
                 if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
                    return;
                  tp.PrivilegeCount = 1;
                  tp.Privileges[0].Luid = luid;
                  tp.Privileges[0].Attributes = 1 ? SE_PRIVILEGE_ENABLED : 0;
                  AdjustTokenPrivileges(hToken,FALSE,&tp,0,0,0);
            }
            LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
            LPVOID RemoteString = (LPVOID)VirtualAllocEx(pi.hProcess,NULL,sizeof(DLL_NAME),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
            WriteProcessMemory(pi.hProcess, (LPVOID)RemoteString,DLL_NAME,sizeof(DLL_NAME), NULL);
            ResumeThread(pi.hThread);
            Sleep(10);//If this is not here, everything goes to hell
            HANDLE hThread = CreateRemoteThread(pi.hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddr,(LPVOID)RemoteString,NULL,NULL);
            WaitForSingleObject( hThread, INFINITE );
            CloseHandle(pi.hProcess);
            CloseHandle(pi.hThread);
     }
}

The problem is that certain app's crash when I remove the "Sleep(10)" code, not all of them. I'm trying to intercept all the calls to CreateFileA using API hooking by loading my DLL in the target process. It works great until I remove the Sleep part, the thing is, in those 10ms is possible that many calls to CreateFileA are made and I missed them.
The problem is not in my DLL, I can even load a blank DLL and the target program still crashes.
The only thing that comes to mind is that not everything is loaded properly in the target app when I call CreateRemoteThread and that gives me problems. I don't know what to think, I've searched everywhere for people with the same problem and found nothing. I'll be extremely grateful if someone can help me with this. Thanks for your time,


Domingo Guzman

Do your CreateRemoteThread() stuff before resuming the thread.

That's what I was trying to do, but it doesn't work either way. I have the same discussion in another forum. This is taken from there:

Posted by Dreg (Untrusted stranger) [ip info hidden] - Jul 15 2008, 02:08 (UTC-4)
Re: Help with CreateRemoThread on a new process
Hi, while We developed phook [ref.1] We had a similar problem, We solved it with a (beta++) little detector of the process type (GUI or Console):

"
Console type processes can be created with the API CreateProcess and the
flag CREATE_SUSPENDED.

If GUI type processes are opened with the flag CREATE_SUSPENDED may not
work correctly, so they must be created using the APIs:
1.- CreateProcess : Process is created without the flag
CREATE_SUSPENDED.
2.- WaitForInputIdle: Correct load of the process [R.6] is waited for.
3.- SuspendThread : The main thread is suspended.
"

------[ CODE

CreateProcess
(
program_name ,
NULL ,
NULL ,
NULL ,
FALSE ,
CREATE_SUSPENDED | CREATE_NEW_CONSOLE ,
NULL ,
NULL ,
pstart_inf ,
ppro_inf
)

// It is necessary to check the correct creation of the process

if ( WaitForInputIdle( ppro_inf->hProcess, 0 ) == WAIT_FAILED )
// "Console process"
else
// "GUI process"

------[ END CODE

Once the type of process is known, we already know how to create it suspended correctly (see section 2.3).

Note: the method may not always work, in some ocassion a
"Console process" will be detected as "GUI process".

[ref.1] phook - The PEB Hooker
http://phrack.org/issues.html?issue=65&id=10#article

doy2001, I hope that this information is useful for you.

Sincerly, Dreg.
reply to this message

Posted by doy2001 (Untrusted stranger) [ip info hidden] - Jul 15 2008, 16:15 (UTC-4)
Re: Help with CreateRemoThread on a new process
Hi, thanks for the responses.
Dreg, as soon as I read your message I knew you've been in my position before and you know what you're talking about. The thing is, it's not working for me, and besides, I can't afford to have a method that won't work always. So I decided to take another approach, something similar to what buriza said, only I do not need to debug the application. I'm gonna create a code cave in the target using VirtualAllocEx and WriteProcessMemory and then I'll change the eip of the thread by reading and setting the ThreadContext. This method is not restricted to Windows NT and hopefuly it'll work always. Let's see how it goes.
Thanks again for your time, I appreciate it. Regards,


Domingo Guzman

That's very similar to my method. Unfortunately, it doesn't work with GUI apps.
The method I'm using now is working perfectly.
This little tute is very helpful:
http://www.edgeofnowhere.cc/viewtopic.php?p=2483118
Regards,

EDIT: Thanks for the debug privilege clarification!

Domingo Guzman

Originally Posted by doy2001

That's very similar to my method. Unfortunately, it doesn't work with GUI apps.
The method I'm using now is working perfectly.
This little tute is very helpful:
http://www.edgeofnowhere.cc/viewtopic.php?p=2483118
Regards,

EDIT: Thanks for the debug privilege clarification!

Domingo Guzman

Hi Domingo,

Just curious, which method did you end up with? I have the same problem myself: Some applications wont start up. I see them briefly in Sysinternals Process Explorer, but then they go *poof* :-/

Thanks!