Announcement

Collapse
No announcement yet.

CreateRemoteThread

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Diamond
    replied
    Ok i think ive got it - this should be starting a thread remotely

    Code:
    #Compile EXE
    %SE_PRIVILEGE_ENABLED_BY_DEFAULT             = &H1
    %SE_PRIVILEGE_ENABLED                        = &H2
    %SE_PRIVILEGE_USED_FOR_ACCESS                = &H80000000
    %PRIVILEGE_SET_ALL_NECESSARY                 = 1
    $SE_DEBUG_NAME = "SeDebugPrivilege"
    %PROCESS_QUERY_INFORMATION = &H0400
    %INFINITE                                    = &HFFFF
    Type LARGE_INTEGER
        lowpart As Long
        highpart As Long
    End Type
    Type Luid
        lowpart As Long
        highpart As Long
    End Type
    Type LUID_AND_ATTRIBUTES
        pLuid As Luid
        Attributes As Long
    End Type
    Type TOKEN_PRIVILEGES
        PrivilegeCount As Long
        Privileges As LUID_AND_ATTRIBUTES Ptr
    End Type
    DECLARE FUNCTION GetLastError LIB "KERNEL32.DLL" ALIAS "GetLastError" () AS LONG
    Declare FUNCTION GetCurrentProcess LIB "KERNEL32.DLL" ALIAS "GetCurrentProcess" () AS LONG
    Declare FUNCTION OpenProcessToken LIB "ADVAPI32.DLL" ALIAS "OpenProcessToken" (BYVAL ProcessHandle AS LONG,_
    BYVAL DesiredAccess AS LONG, TokenHandle AS LONG) AS LONG
    Declare FUNCTION LookupPrivilegeValue LIB "ADVAPI32.DLL" ALIAS _
    "LookupPrivilegeValueA" (lpSystemName AS ASCIIZ, lpName AS ASCIIZ, lpLuid AS LARGE_INTEGER) AS LONG
    Declare FUNCTION AdjustTokenPrivileges LIB "advapi32.dll" ALIAS "AdjustTokenPrivileges" (ByVal TokenHandle As Long,_
    ByVal DisableAllPrivileges As Long,_
    NewState As Token_Privileges,_
    ByVal BufferLength As DWord,_
    PreviousState As TOKEN_PRIVILEGES,_
    ReturnLength As Dword) As Long
    Declare Function OpenProcess LIB "KERNEL32.DLL" Alias "OpenProcess" (ByVal dwDesiredAccess As Dword, ByVal bInheritHandle As Long, ByVal dwProcessId As Dword) As Long
    Declare Function WaitForSingleObject LIB "KERNEL32.DLL" Alias "WaitForSingleObject" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
    Declare Function CloseHandle LIB "KERNEL32.DLL" Alias "CloseHandle" (ByVal hObject As Long) As Long
    
    TYPE SECURITY_ATTRIBUTES
      nLength AS DWORD
      lpSecurityDescriptor AS LONG
      bInheritHandle AS LONG
    END TYPE
    
    DECLARE FUNCTION CreateRemoteThread LIB "KERNEL32.DLL" ALIAS "CreateRemoteThread" (BYVAL hProcess AS LONG, lpThreadAttributes AS SECURITY_ATTRIBUTES, BYVAL dwStackSize AS LONG, BYVAL lpStartAddress AS LONG, lpParameter AS ANY, _
                     BYVAL dwCreationFlags AS LONG, lpThreadId AS LONG) AS LONG
    
    
    Function GetSeDebugModePrivilege() As Long
    Dim LA(4) As LUID_AND_ATTRIBUTES
    Dim LA2(4) As LUID_AND_ATTRIBUTES
    On Error GoTo ErrOcc
        Dim hdlProcessHandle As Long
        Dim hdlTokenHandle As Long
        Dim tmpLuid As LARGE_INTEGER
        Dim tkp As TOKEN_PRIVILEGES
        Dim tkpNewButIgnored As TOKEN_PRIVILEGES
        Dim lBufferNeeded As Dword
        Dim SE_DEBUG_NAME As AsciiZ * 25
        tkp.Privileges = VarPtr(LA(0))
        tkpNewButIgnored.Privileges = VarPtr(LA2(0))
        TOKEN_ADJUST_PRIVILEGES% = &H20
        TOKEN_QUERY% = &H8
        SE_PRIVILEGE_ENABLED% = &H2
        PROCESS_TERMINATE% = &H1
        hdlProcessHandle = GetCurrentProcess()
        OpenProcessToken hdlProcessHandle, (TOKEN_ADJUST_PRIVILEGES% + TOKEN_QUERY%), hdlTokenHandle
        LookupPrivilegeValue "", $SE_DEBUG_NAME, ByVal VarPtr(tmpLuid)
        tkp.PrivilegeCount = 1 ' One privilege to set
        ' Enable the kill privilege in the access token of this process.
        'tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED%
        LSet LA(0) = tmpLuid
        LA(0).Attributes = SE_PRIVILEGE_ENABLED%
        Res& = AdjustTokenPrivileges(hdlTokenHandle, 0, ByVal VarPtr(tkp),_
        4, ByVal VarPtr(tkpNewButIgnored), lBufferNeeded)
        Res2& = GetLastError()
        Function = Res&
        Exit Function
    ErrOcc:
        Function = 0  'Failed
    End Function
    
    FUNCTION ThreadTest(BYVAL x AS LONG) AS LONG
       MSGBOX "Remote Thread activated!!!"
       EXIT FUNCTION
    END FUNCTION
    
    FUNCTION PBMAIN() AS LONG
        GetSeDebugModePrivilege  'Required for CreateRemoteThread
        DIM CreateRemote AS LONG
        DIM CurProcess AS LONG
        DIM secAttributes AS SECURITY_ATTRIBUTES
        DIM lpThreadID AS LONG
        DIM Z&, W&
        DIM ProcessID AS LONG
        ProcessID = 102         'Process ID of a known process
        Z& = OpenProcess(%PROCESS_QUERY_INFORMATION, 0, ProcessID)
        MSGBOX "Process handle = " & STR$(Z&)
        W& = WaitForSingleObject(Z&, %INFINITE)
        CurProcess = W&
        DIM lpCode AS LONG
        lpCode = CODEPTR(ThreadTest)
        CreateRemote = CreateRemoteThread(CurProcess,_
          secAttributes,_
          0,_
          lpCode,_
          BYVAL 0,_
          0,_
          lpThreadId)
        Msgbox "CreateRemote = " & STR$(CreateRemote) & $CRLF & _
               "lpThreadId = " & STR$(lpThreadId)
        W& = CloseHandle(Z&)
        EXIT FUNCTION
    Can somebody who knows what they're doing tell me if this is a correct implementation? It seems to be working


    [This message has been edited by Wayne Diamond (edited June 05, 2001).]

    Leave a comment:


  • Cecil Williams
    Guest replied
    Wayne,

    Check these links out. Should be enough info.

    http://msdn.microsoft.com/library/ps...thred_8b38.htm http://support.microsoft.com/support.../Q246/6/91.ASP

    Cheers,
    Cecil

    ------------------


    [This message has been edited by Cecil Williams (edited June 05, 2001).]

    Leave a comment:


  • Wayne Diamond
    started a topic CreateRemoteThread

    CreateRemoteThread

    According to POFFS2 nobody here has ever used or enquired about the CreateRemoteThread call before, but it seems quite fascinating... apparently it's only for NT/2K, but I read in an article that using by CreateRemoteThread it was possible to create a thread in a different process and then have it call LoadLibrary() from that thread to load your DLL into that process! That's too cool. Does anybody have any idea how to call this mysteriously API? I couldn't find any source on it in the Visual Basic world either, although there is a fair amount of C++ documentation on it
    Here's the call as according to my PB win32api.inc file:
    Code:
    DECLARE FUNCTION CreateRemoteThread LIB "KERNEL32.DLL" ALIAS "CreateRemoteThread" _
        (BYVAL hProcess AS LONG, lpThreadAttributes AS SECURITY_ATTRIBUTES, _
         BYVAL dwStackSize AS LONG, BYVAL lpStartAddress AS LONG, lpParameter AS ANY, _
         BYVAL dwCreationFlags AS LONG, lpThreadId AS LONG) AS LONG

    ------------------
Working...
X