Announcement

Collapse
No announcement yet.

CreateRemoteThread

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    CreateRemoteThread

    According to POFFS2 nobody here has ever used or enquired about the CreateRemoteThread call before, but it seems quite fascinating... apparently it's only for NT/2K, but I read in an article that using by CreateRemoteThread it was possible to create a thread in a different process and then have it call LoadLibrary() from that thread to load your DLL into that process! That's too cool. Does anybody have any idea how to call this mysteriously API? I couldn't find any source on it in the Visual Basic world either, although there is a fair amount of C++ documentation on it
    Here's the call as according to my PB win32api.inc file:
    Code:
    DECLARE FUNCTION CreateRemoteThread LIB "KERNEL32.DLL" ALIAS "CreateRemoteThread" _
    (BYVAL hProcess AS LONG, lpThreadAttributes AS SECURITY_ATTRIBUTES, _
     BYVAL dwStackSize AS LONG, BYVAL lpStartAddress AS LONG, lpParameter AS ANY, _
     BYVAL dwCreationFlags AS LONG, lpThreadId AS LONG) AS LONG

    ------------------
    -
    Tags: None
  • #2
    Wayne,

    Check these links out. Should be enough info.

    http://msdn.microsoft.com/library/ps...thred_8b38.htm http://support.microsoft.com/support.../Q246/6/91.ASP

    Cheers,
    Cecil

    ------------------


    [This message has been edited by Cecil Williams (edited June 05, 2001).]

    Comment

    • #3
      Ok i think ive got it - this should be starting a thread remotely

      Code:
      #Compile EXE
%SE_PRIVILEGE_ENABLED_BY_DEFAULT             = &H1
%SE_PRIVILEGE_ENABLED                        = &H2
%SE_PRIVILEGE_USED_FOR_ACCESS                = &H80000000
%PRIVILEGE_SET_ALL_NECESSARY                 = 1
$SE_DEBUG_NAME = "SeDebugPrivilege"
%PROCESS_QUERY_INFORMATION = &H0400
%INFINITE                                    = &HFFFF
Type LARGE_INTEGER
    lowpart As Long
    highpart As Long
End Type
Type Luid
    lowpart As Long
    highpart As Long
End Type
Type LUID_AND_ATTRIBUTES
    pLuid As Luid
    Attributes As Long
End Type
Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges As LUID_AND_ATTRIBUTES Ptr
End Type
DECLARE FUNCTION GetLastError LIB "KERNEL32.DLL" ALIAS "GetLastError" () AS LONG
Declare FUNCTION GetCurrentProcess LIB "KERNEL32.DLL" ALIAS "GetCurrentProcess" () AS LONG
Declare FUNCTION OpenProcessToken LIB "ADVAPI32.DLL" ALIAS "OpenProcessToken" (BYVAL ProcessHandle AS LONG,_
BYVAL DesiredAccess AS LONG, TokenHandle AS LONG) AS LONG
Declare FUNCTION LookupPrivilegeValue LIB "ADVAPI32.DLL" ALIAS _
"LookupPrivilegeValueA" (lpSystemName AS ASCIIZ, lpName AS ASCIIZ, lpLuid AS LARGE_INTEGER) AS LONG
Declare FUNCTION AdjustTokenPrivileges LIB "advapi32.dll" ALIAS "AdjustTokenPrivileges" (ByVal TokenHandle As Long,_
ByVal DisableAllPrivileges As Long,_
NewState As Token_Privileges,_
ByVal BufferLength As DWord,_
PreviousState As TOKEN_PRIVILEGES,_
ReturnLength As Dword) As Long
Declare Function OpenProcess LIB "KERNEL32.DLL" Alias "OpenProcess" (ByVal dwDesiredAccess As Dword, ByVal bInheritHandle As Long, ByVal dwProcessId As Dword) As Long
Declare Function WaitForSingleObject LIB "KERNEL32.DLL" Alias "WaitForSingleObject" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Declare Function CloseHandle LIB "KERNEL32.DLL" Alias "CloseHandle" (ByVal hObject As Long) As Long

TYPE SECURITY_ATTRIBUTES
  nLength AS DWORD
  lpSecurityDescriptor AS LONG
  bInheritHandle AS LONG
END TYPE

DECLARE FUNCTION CreateRemoteThread LIB "KERNEL32.DLL" ALIAS "CreateRemoteThread" (BYVAL hProcess AS LONG, lpThreadAttributes AS SECURITY_ATTRIBUTES, BYVAL dwStackSize AS LONG, BYVAL lpStartAddress AS LONG, lpParameter AS ANY, _
                 BYVAL dwCreationFlags AS LONG, lpThreadId AS LONG) AS LONG


Function GetSeDebugModePrivilege() As Long
Dim LA(4) As LUID_AND_ATTRIBUTES
Dim LA2(4) As LUID_AND_ATTRIBUTES
On Error GoTo ErrOcc
    Dim hdlProcessHandle As Long
    Dim hdlTokenHandle As Long
    Dim tmpLuid As LARGE_INTEGER
    Dim tkp As TOKEN_PRIVILEGES
    Dim tkpNewButIgnored As TOKEN_PRIVILEGES
    Dim lBufferNeeded As Dword
    Dim SE_DEBUG_NAME As AsciiZ * 25
    tkp.Privileges = VarPtr(LA(0))
    tkpNewButIgnored.Privileges = VarPtr(LA2(0))
    TOKEN_ADJUST_PRIVILEGES% = &H20
    TOKEN_QUERY% = &H8
    SE_PRIVILEGE_ENABLED% = &H2
    PROCESS_TERMINATE% = &H1
    hdlProcessHandle = GetCurrentProcess()
    OpenProcessToken hdlProcessHandle, (TOKEN_ADJUST_PRIVILEGES% + TOKEN_QUERY%), hdlTokenHandle
    LookupPrivilegeValue "", $SE_DEBUG_NAME, ByVal VarPtr(tmpLuid)
    tkp.PrivilegeCount = 1 ' One privilege to set
    ' Enable the kill privilege in the access token of this process.
    'tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED%
    LSet LA(0) = tmpLuid
    LA(0).Attributes = SE_PRIVILEGE_ENABLED%
    Res& = AdjustTokenPrivileges(hdlTokenHandle, 0, ByVal VarPtr(tkp),_
    4, ByVal VarPtr(tkpNewButIgnored), lBufferNeeded)
    Res2& = GetLastError()
    Function = Res&
    Exit Function
ErrOcc:
    Function = 0  'Failed
End Function

FUNCTION ThreadTest(BYVAL x AS LONG) AS LONG
   MSGBOX "Remote Thread activated!!!"
   EXIT FUNCTION
END FUNCTION

FUNCTION PBMAIN() AS LONG
    GetSeDebugModePrivilege  'Required for CreateRemoteThread
    DIM CreateRemote AS LONG
    DIM CurProcess AS LONG
    DIM secAttributes AS SECURITY_ATTRIBUTES
    DIM lpThreadID AS LONG
    DIM Z&, W&
    DIM ProcessID AS LONG
    ProcessID = 102         'Process ID of a known process
    Z& = OpenProcess(%PROCESS_QUERY_INFORMATION, 0, ProcessID)
    MSGBOX "Process handle = " & STR$(Z&)
    W& = WaitForSingleObject(Z&, %INFINITE)
    CurProcess = W&
    DIM lpCode AS LONG
    lpCode = CODEPTR(ThreadTest)
    CreateRemote = CreateRemoteThread(CurProcess,_
      secAttributes,_
      0,_
      lpCode,_
      BYVAL 0,_
      0,_
      lpThreadId)
    Msgbox "CreateRemote = " & STR$(CreateRemote) & $CRLF & _
           "lpThreadId = " & STR$(lpThreadId)
    W& = CloseHandle(Z&)
    EXIT FUNCTION
      Can somebody who knows what they're doing tell me if this is a correct implementation? It seems to be working


      [This message has been edited by Wayne Diamond (edited June 05, 2001).]
      -

      Comment

      Previous template Next
      Working...
      X

      We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

      By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

      I Agree