Menu
I need a way to CreateRemoteThread in x64 windows into both 64 and 32 bit processes. I've worked out how to find instruction set of target process, how to allocate memory in the target process for the assembly sled, and I've almost worked out what to do about address space randomization.
I don't know how to actually start the thread on the remote process when it is of the wrong instruction set.
Notice: I don't care which of the two problems you solve. My own exe can be either 32 or 64 bits (but I really do have to choose before I know the number of bits of the target process).
Before somebody complains that I really shouldn't have to do this, ask Microsoft why I have to set FILE_SHARE_DELETE on all open handles before I can delete a file that is in use. No, there's no way around needing to delete files that other process have open either.
797
CreateRemoteThread 32->64 doesn't work.
CreateRemoteThread 64->32 works.
88
The following source code, which performs normal as well as X86->X64 and X64->X86 injection, has all the details you need: https://github.com/OpenWireSec/metasploit/blob/master/external/source/meterpreter/source/common/arch/win/i386/base_inject.c
The short story is that it involves lots of architecture-specific "undocumented" functionality, since you must execute 64-bit code in a 32-bit WoW process to perform X86-X64.
But that code has been working well for many versions of Windows.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
