Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
来源:互联网 发布:网络新词汇 编辑:程序博客网 时间:2024/06/06 08:19
Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7 See Also Introduction
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN ULONG SizeOfStackCommit,
IN ULONG SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
); This function is almost similar to CreateRemoteThread function except the last parameter which takes unknown buffer structure. Here is the definition of that buffer structure parameter... //Buffer argument passed to NtCreateThreadEx function
struct NtCreateThreadExBuffer
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
}; This information is derived based on reverse engineering work. Hence meanings and importance of internal fields of this buffer structure is not clear. Executing Remote Thread into System Process using NtCreateThreadEx Function The steps involved in the execution of the remote thread using NtCreateThreadEx is almost similar to that of CreateRemoteThread function. Hence the traditional steps such as allocating memory, copying the thread code into remote process are not repeated here. For detailed steps you can refer to article, "Three Ways to Inject Your Code into Another Process" [Reference 4].
Before we begin, we need to load NtCreateThreadEx function from Ntdll.dll as shown below.
HMODULE modNtDll = GetModuleHandle("ntdll.dll");
if( !modNtDll )
{
printf("\n failed to get module handle for ntdll.dll, Error=0x%.8x", GetLastError());
return;
}
LPFUN_NtCreateThreadEx funNtCreateThreadEx =
(LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");
if( !funNtCreateThreadEx )
{
printf("\n failed to get funtion address from ntdll.dll, Error=0x%.8x", GetLastError());
return;
} Now setup the buffer structure which is passed as last parameter to NtCreateThreadEx function. //setup and initialize the buffer
NtCreateThreadExBuffer ntbuffer;
memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
DWORD temp1 = 0;
DWORD temp2 = 0;
ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = &temp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = &temp1;
ntbuffer.Unknown8 = 0; Finally execute remote thread 'pRemoteFunction' into remote process using NtCreateThreadEx function. Here one can use 'LoadLibrary' function address instead of 'pRemoteFunction' thread to implement 'DLL Injection' technique. NTSTATUS status = funNtCreateThreadEx(
&hThread,
0x1FFFFF,
NULL,
hProcess,
(LPTHREAD_START_ROUTINE) pRemoteFunction,
pRemoteParameter,
FALSE, //start instantly
NULL,
NULL,
NULL,
&ntbuffer
); Now check for the result of NtCreateThreadEx function and then wait for it to execute completely. if (hThread == NULL)
{
printf("\n NtCreateThreadEx failed, Error=0x%.8x", GetLastError());
return;
}
//Wait for thread to complete....
WaitForSingleObject(hThread, INFINITE); Finally retrieve the return value from the remote thread function, 'pRemoteFunction' to verify the result of function execution. //Check the return code from remote thread function
int dwExitCode;
if( GetExitCodeThread(hThread, (DWORD*) &dwExitCode) )
{
printf("\n Remote thread returned with status = %d", dwExitCode);
}
CloseHandle(hThread); The steps illustrated above are almost similar except that here NtCreateThreadEx is used instead of CreateRemoteThread for creating thread in the context of remote process. Limitations of NtCreateThreadEx Method Though NtCreateThreadEx provides universal solution on Vista/Win 7 platform for remote thread execution, it is risky to use in the production code as it is undocumented function. As things may change with new version and suppor packs, enough testing is necessary before putting it into production especially when injecting code into system critical process such as LSASS.EXE, CSRSS.EXE.
Another limitation is that it cannot be used in earlier platforms before Vista, such as Windows XP because NtCreateThreadEx function is available only Vista onwards. However developers can easily tune their code to dynamically use CreateRemoteThread function on XP and NtCreateThreadEx for Vista/Windows 7. Alternative Techniques Another way to inject DLL into system process is to write the service process (which will run in session 0) and then issue the command from user process to that service to inject DLL into any system process using the CreateRemoteThread function.
This technique will work for any system process running in session 0. But it will fail to execute thread into any other process running in session other than 0.
Though it is a clumsy way of doing the work, it still holds good solution to inject thread into system process only. Conclusion This article provides practical implementation of using NtCreateThreadEx function to execute remote thread into any process on Vista/Windows 7 platform. Though it is undocumented function, it provides universal solution for executing code in any process across session boundaries imposed by Vista. References
SpyDLLRemover - Tool to Detect & Delete Spyware DLL's from the System.
RemoteDLL - Tool to Inject/Remove DLL to/from Remote Process.
FireMaster: The Firefox master password recovery tool.
Exposing the covert way to find the reference count of DLL.
Watch your file shares from intruders using NetShareMonitor
Contents RemoteDLL - Tool to Inject/Remove DLL to/from Remote Process.
FireMaster: The Firefox master password recovery tool.
Exposing the covert way to find the reference count of DLL.
Watch your file shares from intruders using NetShareMonitor
- Introduction
- Vista & Session Separation
- About NtCreateThreadEx Function
- Executing Remote Thread into System Process using NtCreateThreadEx.
- Limitations of NtCreateThreadEx Method
- Alternative Techniques
- Conclusion
- References
Windows provides API function called, CreateRemoteThread [Reference 2] which allows any process to execute thread in the context of remote process. This method has been mainly used to inject DLL into remote process, the technique popularly known as 'DLL Injection'. Especially malware programs exploited this mechanism to evade their detection by injecting their DLL into legitimate process's such as Explorer.exe, Winlogon.exe etc.
Vista & Session Separation This DLL Injection technique using CreateRemoteThread technique has worked flawlessly till Vista without any limitations. However since Vista onwards things have changed with the introduction of 'Session Separation' [Reference 3 ]. This was one of so many defenses introduced in Vista towards securing the system. 'Session Separation' ensured that core system processes including services always run in session 0 while all user process's run in different sessions. As a result any process running in user session failed to inject DLL into system process as CreateRemoteThread did not work across session boundaries...
This is clearly evident from the MSDN documentation of CreateRemoteThread [Reference 2] function...
"Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the target process is in a different session than the calling process." About NtCreateThreadEx Function With the failure of CreateRemoteThread, there was need for universal solution for remote thread execution on Vista and Windows 7 platform. Then comes the function, NtCreateThreadEx [Reference 1], the undocumented function which provides complete solution for executing remote thread across session boundaries. It allows any process to inject DLL into any other process irrespective of session in which it is running as long as it has sufficient privileges. Here is the prototype of NtCreateThreadEx function [undocumented] typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) This is clearly evident from the MSDN documentation of CreateRemoteThread [Reference 2] function...
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN ULONG StackZeroBits,
IN ULONG SizeOfStackCommit,
IN ULONG SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
); This function is almost similar to CreateRemoteThread function except the last parameter which takes unknown buffer structure. Here is the definition of that buffer structure parameter... //Buffer argument passed to NtCreateThreadEx function
struct NtCreateThreadExBuffer
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
}; This information is derived based on reverse engineering work. Hence meanings and importance of internal fields of this buffer structure is not clear. Executing Remote Thread into System Process using NtCreateThreadEx Function The steps involved in the execution of the remote thread using NtCreateThreadEx is almost similar to that of CreateRemoteThread function. Hence the traditional steps such as allocating memory, copying the thread code into remote process are not repeated here. For detailed steps you can refer to article, "Three Ways to Inject Your Code into Another Process" [Reference 4].
Before we begin, we need to load NtCreateThreadEx function from Ntdll.dll as shown below.
HMODULE modNtDll = GetModuleHandle("ntdll.dll");
if( !modNtDll )
{
printf("\n failed to get module handle for ntdll.dll, Error=0x%.8x", GetLastError());
return;
}
LPFUN_NtCreateThreadEx funNtCreateThreadEx =
(LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");
if( !funNtCreateThreadEx )
{
printf("\n failed to get funtion address from ntdll.dll, Error=0x%.8x", GetLastError());
return;
} Now setup the buffer structure which is passed as last parameter to NtCreateThreadEx function. //setup and initialize the buffer
NtCreateThreadExBuffer ntbuffer;
memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
DWORD temp1 = 0;
DWORD temp2 = 0;
ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = &temp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = &temp1;
ntbuffer.Unknown8 = 0; Finally execute remote thread 'pRemoteFunction' into remote process using NtCreateThreadEx function. Here one can use 'LoadLibrary' function address instead of 'pRemoteFunction' thread to implement 'DLL Injection' technique. NTSTATUS status = funNtCreateThreadEx(
&hThread,
0x1FFFFF,
NULL,
hProcess,
(LPTHREAD_START_ROUTINE) pRemoteFunction,
pRemoteParameter,
FALSE, //start instantly
NULL,
NULL,
NULL,
&ntbuffer
); Now check for the result of NtCreateThreadEx function and then wait for it to execute completely. if (hThread == NULL)
{
printf("\n NtCreateThreadEx failed, Error=0x%.8x", GetLastError());
return;
}
//Wait for thread to complete....
WaitForSingleObject(hThread, INFINITE); Finally retrieve the return value from the remote thread function, 'pRemoteFunction' to verify the result of function execution. //Check the return code from remote thread function
int dwExitCode;
if( GetExitCodeThread(hThread, (DWORD*) &dwExitCode) )
{
printf("\n Remote thread returned with status = %d", dwExitCode);
}
CloseHandle(hThread); The steps illustrated above are almost similar except that here NtCreateThreadEx is used instead of CreateRemoteThread for creating thread in the context of remote process. Limitations of NtCreateThreadEx Method Though NtCreateThreadEx provides universal solution on Vista/Win 7 platform for remote thread execution, it is risky to use in the production code as it is undocumented function. As things may change with new version and suppor packs, enough testing is necessary before putting it into production especially when injecting code into system critical process such as LSASS.EXE, CSRSS.EXE.
Another limitation is that it cannot be used in earlier platforms before Vista, such as Windows XP because NtCreateThreadEx function is available only Vista onwards. However developers can easily tune their code to dynamically use CreateRemoteThread function on XP and NtCreateThreadEx for Vista/Windows 7. Alternative Techniques Another way to inject DLL into system process is to write the service process (which will run in session 0) and then issue the command from user process to that service to inject DLL into any system process using the CreateRemoteThread function.
This technique will work for any system process running in session 0. But it will fail to execute thread into any other process running in session other than 0.
Though it is a clumsy way of doing the work, it still holds good solution to inject thread into system process only. Conclusion This article provides practical implementation of using NtCreateThreadEx function to execute remote thread into any process on Vista/Windows 7 platform. Though it is undocumented function, it provides universal solution for executing code in any process across session boundaries imposed by Vista. References
- NtCreateThreadEx Function
- MSDN Documentation of CreateRemoteThread Function
- Impact of Session 0 Isolation on Services
- Three ways to inject code into remote process
- DLL Injection & Windows 8
SpyDLLRemover - Tool to Detect & Delete Spyware DLL's from the System.
RemoteDLL - Tool to Inject/Remove DLL to/from Remote Process.
FireMaster: The Firefox master password recovery tool.
Exposing the covert way to find the reference count of DLL.
Watch your file shares from intruders using NetShareMonitor
RemoteDLL - Tool to Inject/Remove DLL to/from Remote Process.
FireMaster: The Firefox master password recovery tool.
Exposing the covert way to find the reference count of DLL.
Watch your file shares from intruders using NetShareMonitor
0 0
- Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
- Eyou Mail System Remote Code Execution
- Using AfxBeginThread for multi-thread in VS C++
- Using thread in Silverlight
- Linux process/thread in practice
- Operating System: Process, Thread and Schedule(HW)
- Vulnerability in Graphics Rendering Engine Allows Remote Code Execution
- Insecure default in Elasticsearch enables remote code execution
- Exception in thread "main" java.sql.SQLException: Access denied for user ''@'localhost' (using passw
- Exception in thread "main" java.sql.SQLException: Access denied for user 'root'@'localhost' (using p
- how to config the tftpd-hpa server in the ubuntu using for remote tftp client '-p' and '-r' command
- Error:Execution failed for task':app:process DebugResources';
- setting virtualbox share folder in windows7 system
- Research on GIS Using in Verification System for State-invested Geological Exploration
- FATAL EXCEPTION IN SYSTEM PROCESS: AlarmManager
- system died in sysfs node making process
- Create process in UNIX like system
- Should I use android: process =“:remote” in my reciver?
- 处理linux服务器cpu的wa%值过高
- unity 跑酷游戏开发笔记(二)
- 关于ActiveMQ大数据量时的无能为力
- 问题解决 Java浮点数的精度及解决方法
- 系统论
- Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
- BMP转成C语言数组文件工具(用image2lcd代替bmp2h.exe)
- 通过借用构造函数解决超类型构造函数传参
- 【leetcode】Remove Duplicates from Sorted List II-很精简
- JavaScript排序算法之插入排序
- Tornado
- leetCode:Path Sum
- 大数据与信息隐私
- 黑马程序员——继承、final关键字、抽象类