Ok, this is a bit tricky to explain. I am writing a small program that is supposed to bypass the outbound detection of a firewall by writing a thread from its own address space to the virtual address space of another process (preferably the browser or the firewall itself) to execute this thread afterwards by calling CreateRemoteThread(). The idea is based on backstealth and consorts but much improved.

All this works perfectly fine, I can VirtualAllocEx() the memory I need, I
can get the SE_DEBUG_NAME privilege and finally I WriteProcessMemory() my
own thread to the process space.


/*
* If you are curious, these are some macros I use
* to declare a thread that can be written to a remote
* process. I basically declare a static funcion A
* which is the thread entry and a static function B
* which will point to the end of function A. To get the
* size of function A, I merely have to subtract these
* two function pointers.
*/

#define THREAD_CALL(_name,_p) _name##_xTStart((LPVOID)_p)

#define THREAD_BEGIN(_name) static DWORD WINAPI
_name##_xTStart(LPVOID lParam) {
#define THREAD_END(_name) } static void _name##_xTEnd (){}
#define THREAD_FUNC(_name) ((LPTHREAD_START_ROUTINE)_name##_xTStart)
#define THREAD_SIZEOF(_name)
((DWORD)(((DWORD)_name##_xTEnd)-((DWORD)_name##_xTStart)))

// ...


I can also CreateRemoteThread() the remote thread I have copied, everything
works perfectly fine so far. What is my problem you will ask - the problem
is that I cannot call any functions from this thread, because the remote
process will crash due to an access violation.

Why? If you haven't already guessed it, the other process loads dll's and
therefore API functions and similar stuff to his own address space and
probably has completely different addresses for those. Therefore, when the
chunk of binary data I copied (which represents my thread) tries to


; ...
call 7788F659
; ...


- within the address space of the remote process, then there is nothing to
call at 7788F695.

Any ideas or help would be great. Thanks in advance!