Thread: injecting my own thread into the address space of another process - cannot call any f

  1. #1
    Andrew_5342
    Guest

    Question injecting my own thread into the address space of another process - cannot call any f

    Ok, this is a bit tricky to explain. I am writing a small program that is supposed to bypass the outbound detection of a firewall by writing a thread from its own address space to the virtual address space of another process (preferably the browser or the firewall itself) to execute this thread afterwards by calling CreateRemoteThread(). The idea is based on backstealth and consorts but much improved.

    All this works perfectly fine, I can VirtualAllocEx() the memory I need, I
    can get the SE_DEBUG_NAME privilege and finally I WriteProcessMemory() my
    own thread to the process space.


    /*
    * If you are curious, these are some macros I use
    * to declare a thread that can be written to a remote
    * process. I basically declare a static funcion A
    * which is the thread entry and a static function B
    * which will point to the end of function A. To get the
    * size of function A, I merely have to subtract these
    * two function pointers.
    */

    #define THREAD_CALL(_name,_p) _name##_xTStart((LPVOID)_p)

    #define THREAD_BEGIN(_name) static DWORD WINAPI
    _name##_xTStart(LPVOID lParam) {
    #define THREAD_END(_name) } static void _name##_xTEnd (){}
    #define THREAD_FUNC(_name) ((LPTHREAD_START_ROUTINE)_name##_xTStart)
    #define THREAD_SIZEOF(_name)
    ((DWORD)(((DWORD)_name##_xTEnd)-((DWORD)_name##_xTStart)))

    // ...


    I can also CreateRemoteThread() the remote thread I have copied, everything
    works perfectly fine so far. What is my problem you will ask - the problem
    is that I cannot call any functions from this thread, because the remote
    process will crash due to an access violation.

    Why? If you haven't already guessed it, the other process loads dll's and
    therefore API functions and similar stuff to his own address space and
    probably has completely different addresses for those. Therefore, when the
    chunk of binary data I copied (which represents my thread) tries to


    ; ...
    call 7788F659
    ; ...


    - within the address space of the remote process, then there is nothing to
    call at 7788F695.

    Any ideas or help would be great. Thanks in advance!

  2. #2
    train spotter
    Join Date
    Aug 2001
    Location
    near a computer
    Posts
    3,868
    >>I am writing a small program that is supposed to bypass the outbound detection of a firewall

    Why?

    This may be against the boards rules.
    "Man alone suffers so excruciatingly in the world that he was compelled to invent laughter."
    Friedrich Nietzsche

    "I spent a lot of my money on booze, birds and fast cars......the rest I squandered."
    George Best

    "If you are going through hell....keep going."
    Winston Churchill

  3. #3
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    This does look a little suspect IMO........

    It is possible, and people have written good articles on this, and as a hint I'll give you a clue - look for the system dll that's loaded into EVERY process and always at the same virtual address.....then look for a func in that module that has has the function prototype needed by CreateRemoteThread (4bytes return and 4 bytes passed) that will allow you to inject code ito the other process....Once you have done this you will bypass the memory problems you have

    As you have stated that your aims are to bypass a firewall I think you should work for it!

  4. #4
    Andrew_5342
    Guest
    I am writing data to the remote process which is needed by the thread
    the thread needs this data so I pass it as a paramter but it appears
    that the address I have (the address of that data) is relative to my
    own process space and in the remote process, it is different

    I hope I made myself a bit clear basically I allocate memory within
    the address space of the other process that is where the process is
    loaded in memory I write data to this location and optain the address
    in memory where the data is stored this address is passed to the
    injected thread which is in the remote address space as wellhowever
    it cannot read from this address in the remote address space, this
    address points to a objectively different location the address is just
    a number and it seems to be relative to the address space that you are within

    And to set your contience at ease. I am planning to develop a tool such as
    backstealth (http://piorio.supereva.it/backstealth.htm?p) and firehole
    (http://keir.net/firehole.html). These tools are very old.

    It is merely the challenge I am interested in

  5. #5
    Andrew_5342
    Guest
    Right now we work with the CreateRemoteThread. Another approach would be to inject code creating a debug process. The technique is described in this article;

    http://www.microsoft.com/msj/0200/hood/hood0200.aspx

  6. #6
    Andrew_5342
    Guest
    Originally posted by Fordy
    It is possible, and people have written good articles on this,
    Got any url's for me then?

    and as a hint I'll give you a clue - look for the system dll that's loaded into EVERY process and always at the same virtual address.....
    kernel32.dll


    then look for a func in that module that has has the function prototype needed by CreateRemoteThread (4bytes return and 4 bytes passed) that will allow you to inject code ito the other process....Once you have done this you will bypass the memory problems you have
    This might be of some help yes.

    As you have stated that your aims are to bypass a firewall I think you should work for it!
    Hopefully yes... it would be a much improved version of the other similair programs i mentioned... but i am doubting if i should make it freeware and opensource or only freeware.

  7. #7
    Andrew_5342
    Guest

    Smile

    A comment on the fact that I have to work for it.

    I think that is obvious, and I am not asking your help with the entire program,
    I am merely stuck at this part and need some help.
    I have read the board rules and in my opinion there is nothing wrong with this post.

    I have been working on this for 5 days almost non-stop...
    so don't say i did not put any effort into it.

    First we reverse engineerd backstealth to see what it did.
    Then we improved the code a lot and now we are debuggin
    it and getting it working properly.

  8. #8
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    here's a few interesting ideas

    http://www.ddj.com/ftp/2002/2002_11/securtst.txt

    Look at listing 2

  9. #9
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    Originally posted by Andrew_5342
    A comment on the fact that I have to work for it.

    I think that is obvious, and I am not asking your help with the entire program,
    I am merely stuck at this part and need some help.
    I have read the board rules and in my opinion there is nothing wrong with this post.

    I have been working on this for 5 days almost non-stop...
    so don't say i did not put any effort into it.

    First we reverse engineerd backstealth to see what it did.
    Then we improved the code a lot and now we are debuggin
    it and getting it working properly.
    Sorry if I seemed a bit OTT....

    It's just that it's always a worry when people ask these questions....

    Back to the topic....injecting code will be a nightmare as you have already seen...but a dll is a lump of code that can be loaded into a process without worrying about sections and locations and the rest.....so as CreateRemoteThread alows takes a start func that takes 4 bytes and returns 4, and as LoadLibraryA has the same signature, and as LoadLibraryA will always exists at the same point in every process, it's very easy to use that to load a dll of choice and have your code exectue in the DllMain proc of the dll

  10. #10
    Andrew_5342
    Guest
    No sweat i very much appreciate your help

  11. #11
    Andrew_5342
    Guest

    Talking

    We are not merely trying to copy a program suchs as firehole or backstealth.
    They both use the crude dll method. Our goal is to create a
    better and most off all a stand alone app. Injecting code
    directly would be more elegant.

    An idea; i can remotely access the process heap, perhaps
    the heap addresses are the same....

    I might also be able to use the dll method to load the
    executable. An executable is a module, as well as a dll,
    we can just let the browser load ourself.

  12. #12
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793


    Inject code of you wish, but it will be harder and less reliable.

    A dll is a good way to do it as all relocations are taken care of, the code is already produced relative to the DATA, IDATA and CONST section and best of all you can code in any language that can produce a naitive dll (instead of being restricted to ASM, and then to binary). Also the amount of memory you need to write to the other process space is minimal

    But it's your choice!

  13. #13
    Andrew_5342
    Guest
    Yes at the moment we are using the dll. But in the future we hope to improve it.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Troubleshooting Input Function
    By SiliconHobo in forum C Programming
    Replies: 14
    Last Post: 12-05-2007, 07:18 AM
  2. Problem with forking a process
    By Unitedroad in forum C Programming
    Replies: 10
    Last Post: 10-04-2007, 01:43 AM
  3. Writing array, to file
    By zootreeves in forum C Programming
    Replies: 9
    Last Post: 09-08-2007, 05:06 PM
  4. DX - CreateDevice - D3DERR_INVALIDCALL
    By Tonto in forum Game Programming
    Replies: 3
    Last Post: 12-01-2006, 07:17 PM
  5. How to make a thread sleep or std::recv timeout?
    By BrianK in forum Linux Programming
    Replies: 3
    Last Post: 02-26-2003, 10:27 PM