CreateRemoteThread 64 bit

[0ron]

Ok so I'm messing around with injecting dll's into other processes. The code I have works perfectly fine on any 32 bit machine but completely blows up on W7 64 bit. If it's compiled for pure 32 bit it works ok but only with 32 bit programs. I'm getting "CreateRemoteThread exited with error 8" Any ideas?

 public unsafe static bool LoadRemoteLibrary(Process process, string Dll2Inject, out IntPtr lpModule)
        {
            lpModule = IntPtr.Zero;            if (!File.Exists(Dll2Inject))
            {
                throw new FileNotFoundException(String.Format("PE File '{0}' not found.", Dll2Inject));
            }            UnicodeEncoding enc = new UnicodeEncoding();
            byte[] rawdllStr = enc.GetBytes(Dll2Inject);
            byte[] aDllBytes = new byte[rawdllStr.Length + 2];
            rawdllStr.CopyTo(aDllBytes, 0);
            aDllBytes[aDllBytes.Length - 2] = 0;
            aDllBytes[aDllBytes.Length - 1] = 0;            IntPtr lpLoadAddress = ProcessHelper.GetRemoteAddress(process, "Kernel32.dll", "LoadLibraryW", 0);
            if (lpLoadAddress == IntPtr.Zero)
            {
                throw new Exception("Could not resolve remote address");
            }            // Allocate memory for the string in the target process
            IntPtr lpDllString = Kernel32.VirtualAllocEx(process.Handle, IntPtr.Zero,
                (uint)aDllBytes.Length, MEM_COMMIT, PAGE_READWRITE);            if (lpDllString == IntPtr.Zero)
               throw new Exception("VirtualAllocEx failed with error code " + Convert.ToString(Marshal.GetLastWin32Error()) + ".");            try
            {
                IntPtr bytesWritten;
                fixed (byte* dllRef = aDllBytes)
                {
                    if (!Kernel32.WriteProcessMemory(process.Handle, lpDllString, dllRef, new IntPtr(aDllBytes.Length), out bytesWritten))
                        throw new Exception("WriteProcessMemory failed with error code " +
                                        Convert.ToString(Marshal.GetLastWin32Error()) + ".");
                }
                uint ThreadID = 0;
                IntPtr hRemoteThread = Kernel32.CreateRemoteThread(process.Handle, IntPtr.Zero, IntPtr.Zero, lpLoadAddress
                    , lpDllString, CREATE_SUSPENDED, out ThreadID);                if (hRemoteThread == IntPtr.Zero)
                    throw new Exception("CreateRemoteThread failed with error code " +
                                    Convert.ToString(Marshal.GetLastWin32Error()) + ".");
...

[revert]

Erm, are you trying to inject a 32bit DLL in a 64bit process?

[0ron]

Erm, are you trying to inject a 32bit DLL in a 64bit process?

Nope, 64 bit dll into a 64 bit process. Can't seem to get it to work.

[ghandi]

1. Does your process have debug privileges?

2. Have you run your process as Administor so it has elevated privileges?

    LUID    luid;
    TOKEN_PRIVILEGES tp;    OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
    LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid );    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;    AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

HR,

Ghandi

[revert]

Maybe it's a protected process. Try it with calc.exe first.

Try doing like Ghandi suggested as well. Call Process.EnterDebugMode() before injecting.

Greetz,

revert

[Killboy]

Try removing the CREATE_SUSPENDED, unless you call ResumeThread on the handle sometime later.

As far as I remember, debug privileges are only needed for calling OpenProcess on a protected (system) process.

Have you checked if process.Handle is valid?

Most likely admin privileges are needed for some process APIs, you might find UAC interfering on top of that.

For some reason, MSDN doesn't explicitly mention which APIs need admin privileges and which don't :|

[0ron]

Thanks for the ideas but still no success. I already call Process.EnterDebugMode(). I'm running as administrator as well and it is a 64 bit dll into a 64 bit process. I'm thinking its an issue with a pointer or a value I'm passing. I think code 8 is "Not enough memory" correct? And with 8GB of ram I know I have enough. Ok just tried it with calc. Works fine so I guess permissions issue? So any ideas on a fix?

[revert]

Could you tell me what process you are testing with? PM it to me if you like.

I'll take a closer look.

regards,

revert

[0ron]

Could you tell me what process you are testing with? PM it to me if you like.

I'll take a closer look.

regards,

revert

I've done a bit more testing. Looks like you can only inject into processes you own. Do you know if there is a way to get the name of owner of the process?

[revert]

I do not think that this is your problem but rather Windows Integrity Control.

Take a look with ProcessExplorer (sysinternal) at the process you want to inject the DLL. Make sure 'Integrity Level' is checked in the columns.

Is the process marked as 'System'?

[guan]

Hi,

First of all, be careful when you Open the target process, the constant PROCESS_ALL_ACCESS has been changed since Vista. I don't know your OS.

Secondly, The process and services run into different session since Vista too, so you can only create a Remote Thread into a process of your same session, in other words, if your loader is a process you can't create a remote thread into a services, only others processes.

Maybe you can skip this limitation using rootkit technic but this is another history, I know that it is possible but I don't how to make it.

Best Regards,

GUAN