Home > Software engineering >  [for] the CreateThread detection mechanism is how to do?
[for] the CreateThread detection mechanism is how to do?

Time:09-17

Try to inject shellcode for a certain software, recently encountered a few problems:

My first try: first the shellcode is mapped to the target process, and through the CreateRemoteThread remote threads created in the target process to perform the shellcode, now found in the thread function (threadProc) before being executed, the first sentence xc3 code is changed to 0, then start executing thread function,

My second attempt: the same is to create a remote thread, the thread function address is changed to normal module in the process of the target of a function address (such as the address of the LoadLibrary function), found that the function can normal operation, the first sentence code will not be changed,

My third try, first through the CreateRemoteThread + LoadLibrary to a DLL injection target process, and then in the DLL call CreateThread create a local process to perform mapping ShellCode beforehand, I found the ShellCode first sentence code still are changed to 0 xc3,

Can you tell me the detection mechanism is how to implement? In R3 layer, whether the underlying CreateThread other API calls? I looked at the target process CreateThread function of machine code, did not find its been changed, can eliminate the CreateThread Inline hooks,


CodePudding user response:

I suspect that your thread function calculation error address, first sentence is changed to 0 0 xc3 is RETU xc3, how can the execution thread function, you can get your Shellcode hair look at

CodePudding user response:

reference 1st floor gouyanfen response:
I doubt your thread function calculation error address, first sentence is changed to 0 0 xc3 is RETU xc3, how can the execution thread function, you can get your Shellcode hair look at

Hello, is changed to 0 xc3,
Before I call the remote thread, use the CE tool to view the shellcode in the target process, at the right code,
Then I start the remote thread, shellcode has been observed at this time, found that the first sentence xc3 code is changed to 0, so the thread function directly RET end,
This should be a means to create a thread detection, but I don't know its principle, now is under the R3 layer detection mechanism,

CodePudding user response:

. That depends on your target process is what things, you can use ordinary exe test first

CodePudding user response:

refer to the second floor forchoosen response:
Quote: refer to 1st floor gouyanfen response:

I suspect that your thread function calculation error address, first sentence is changed to 0 0 xc3 is RETU xc3, how can the execution thread function, you can get your Shellcode hair look at

Hello, is changed to 0 xc3,
Before I call the remote thread, use the CE tool to view the shellcode in the target process, at the right code,
Then I start the remote thread, shellcode has been observed at this time, found that the first sentence xc3 code is changed to 0, so the thread function directly RET end,
This should be a means to create a thread detection, but I don't know its principle, now is under the R3 layer detection mechanism,

Have you ever been HOOK with other software to see first createthread

CodePudding user response:

reference 1st floor gouyanfen response:
I doubt your thread function calculation error address, first sentence is changed to 0 0 xc3 is RETU xc3, how can the execution thread function, you can get your Shellcode hair look at


CodePudding user response:

reference 4 floor gouyanfen response:
Quote: refer to the second floor forchoosen response:

Quote: refer to 1st floor gouyanfen response:

I suspect that your thread function calculation error address, first sentence is changed to 0 0 xc3 is RETU xc3, how can the execution thread function, you can get your Shellcode hair look at

Hello, is changed to 0 xc3,
Before I call the remote thread, use the CE tool to view the shellcode in the target process, at the right code,
Then I start the remote thread, shellcode has been observed at this time, found that the first sentence xc3 code is changed to 0, so the thread function directly RET end,
This should be a means to create a thread detection, but I don't know its principle, now is under the R3 layer detection mechanism,

Have you ever been HOOK with other software to see first createthread


Hello, I compared the createthread machine code, did not find its been changed, can eliminate the Inline hooks,
There is no other possibility?

CodePudding user response:

reference gouyanfen reply: 3/f
... That depends on your target process is what things, you can use ordinary exe first test


Hello, into ordinary exe no problem,

CodePudding user response:

It should be check CreateRemoteThread

CodePudding user response:

refer to the eighth floor gouyanfen response:
that should be check CreateRemoteThread

I a DLL injection into the target process, the DLL call CreateThread () to create local thread execution mapping over shellcode beforehand, at the instant of the thread function performs shellcode first sentence code is modified to 0 xc3 likewise,

So I think the CreateRemoteThread and CreateThread were tested, but it is unclear whether is in which link to move hands and feet,
What do you think what are the possibilities? Can rule out hardware breakpoint and inline hooks

CodePudding user response:

references 9 f forchoosen response:
Quote: refer to the eighth floor gouyanfen response:

That should be check CreateRemoteThread

I a DLL injection into the target process, the DLL call CreateThread () to create local thread execution mapping over shellcode beforehand, at the instant of the thread function performs shellcode first sentence code is modified to 0 xc3 likewise,

So I think the CreateRemoteThread and CreateThread were tested, but it is unclear whether is in which link to move hands and feet,
What do you think what are the possibilities? Can rule out hardware breakpoint and inline hooks

All have to perform a DLL for the createthread, why even shellcode?

CodePudding user response:

references to the tenth floor gouyanfen response:
Quote: references 9 f forchoosen response:

Quote: refer to the eighth floor gouyanfen response:

That should be check CreateRemoteThread

I a DLL injection into the target process, the DLL call CreateThread () to create local thread execution mapping over shellcode beforehand, at the instant of the thread function performs shellcode first sentence code is modified to 0 xc3 likewise,

So I think the CreateRemoteThread and CreateThread were tested, but it is unclear whether is in which link to move hands and feet,
What do you think what are the possibilities? Can rule out hardware breakpoint and inline hooks

All have to perform a DLL for the createthread, why even shellcode?


I want to hide injection module, so I want to write for shellcode form,

CodePudding user response:



11 references forchoosen response:
Quote: reference to the tenth floor gouyanfen response:

Quote: references 9 floor forchoosen response:

Quote: refer to the eighth floor gouyanfen response:

nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull

Page link:https//www.codepudding.com/Softwareengineering/6228.html

Prev:How do visual studio one-time add all files in a folder, including all nested folders
Next:Help: have bosses will change DSP application? Paid to modify
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding