Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CreateRemoteThread 32->64 and/or 64->32

I need a way to CreateRemoteThread in x64 windows into both 64 and 32 bit processes. I've worked out how to find instruction set of target process, how to allocate memory in the target process for the assembly sled, and I've almost worked out what to do about address space randomization.

I don't know how to actually start the thread on the remote process when it is of the wrong instruction set.

Notice: I don't care which of the two problems you solve. My own exe can be either 32 or 64 bits (but I really do have to choose before I know the number of bits of the target process).

Before somebody complains that I really shouldn't have to do this, ask Microsoft why I have to set FILE_SHARE_DELETE on all open handles before I can delete a file that is in use. No, there's no way around needing to delete files that other process have open either.

like image 797
Joshua Avatar asked Dec 09 '22 22:12

Joshua


2 Answers

CreateRemoteThread 32->64 doesn't work.

CreateRemoteThread 64->32 works.

like image 88
Joshua Avatar answered Jan 24 '23 01:01

Joshua


The following source code, which performs normal as well as X86->X64 and X64->X86 injection, has all the details you need: https://github.com/OpenWireSec/metasploit/blob/master/external/source/meterpreter/source/common/arch/win/i386/base_inject.c

The short story is that it involves lots of architecture-specific "undocumented" functionality, since you must execute 64-bit code in a 32-bit WoW process to perform X86-X64.

But that code has been working well for many versions of Windows.

like image 32
Matt Avatar answered Jan 23 '23 23:01

Matt