Remote Thread and Code Injection

By | February 6, 2017

There are multiple ways of inter-process interference in Windows and remote threading is one of them. Remote thread opens the path to get access to all process internals from other process. Win32 API CreateRemoteThread thread function creates a thread that runs in the virtual address space of another process. The example below presents source code which uses CreateRemoteThread to injects DLL into remote process.

Initially let us create small DLL which will be loaded into remote process. The DLL has one export function OpenMessageBox which opens a message box with PID (process ID) of remote process. This the source of injected DLL:

null

Source codes of DLL and its injector.

Some explanation to injector code. It is console application with using PID of remote process as an argument. There are 4 parts of code which doing the following:

1. Find addresses of entry point of the functions: LoadLibraryA, FreeLibrary and relative offset of OpenMessageBox from the beginning of win32dll.dll. Suffix ‘A’ in the name of LoadLibrary function means that it is ANSI version, if you prefer to use Unicode version use LoadLibraryW version.
null

2. Then the injector allocates open remote process by its PID and allocates memory for “win32dll.dll” name and its path:
null

3. Now everything is ready for code injection and execution of injected code in remote process address space. The injector application creates 3 remote thread for this purpose. The first remote thread load win32dll.dll in remote process, the second open message box with PID of remote process and the third one unload win32dll.dll from remote process.

Here are executables:
32 bit version
and
64 bit version.
remoteThread.exe and win32dll.dll should be in the same directory. 32-bit version cannot be used with 64 bit remote processes and vise versa.

How to use executable. Open task manager and select PID of some process, do not use processes that are running under system account, choose process with your user name, because you will start remoteThread.exe under your login name. If selected process is 32-bit application use 32-bit version of remoteThread.exe, the same for 64-bit processes, 64-bit version of remoteThread.exe must be run. Start remoteThread.exe using PID of remote process as argument, the following message box will be opened.
null
Console output of remoteThread.exe looks like this:
null

How to prove that message box belongs to the remote process not to remoteThread.exe applications!

  • Start notepad
  • Open task manager and find notepad PID
  • Start remoteThread.exe using notepad PID as an argument
  • When message box appears close notepad
  • The message box is gone

The second prove.

  • Start notepad
  • Open task manager and find notepad PID
  • Start remoteThread.exe using notepad PID as an argument
  • When message box appears terminate remoteThread.exe using ctrl/C
  • The message box is not close, because it belongs to notepad

The second method has one disadvantage, win32dll.dll is not unloaded from notepad virtual address space.

Leave a Reply

Your email address will not be published. Required fields are marked *