pe_to_shellcode icon indicating copy to clipboard operation
pe_to_shellcode copied to clipboard
verified publisher icon hasherezade

Support remote thread execution?

Open VoldeSec opened this issue 2 years ago • 8 comments

Let say if I inject the shellcode to remote process DLL. May I know if i can execute it using CreateRemoteThread? I tired but the remote process crashed immediately. Thanks!

VoldeSec avatar Mar 19 '23 04:03 VoldeSec

Hi @VoldeSec ! First of all I need to know more details to investigate what could possibly have cause it.

  • Did your converted shellcode worked when you try to run it with the runshc32/64 application?
  • What did you use for making the injection, did you try injector32/64 from the package? BTW, it uses CreateRemoteThread : https://github.com/hasherezade/pe_to_shellcode/blob/0f606929eac1530a4fb39b9494a0d46f4c73eaed/injector/main.cpp#L47
  • What flags were set on the process into which you tried the injection?
  • Are you 100% sure that the process and the payload had the same bitness?

hasherezade avatar Mar 20 '23 14:03 hasherezade

Thanks @hasherezade ,

  1. Yes tried with runshc and it works perfectly fine.
  2. I am trying the module stomping, referenced to your another project "module_overloading". (already get rid of CFG). I will take a look on the injector and compare the difference.
  3. I am using the same flag with you above and input the implant entrypoint to the LPTHREAD_START_ROUTINE . But the process still failed to execute and crashed. Do i
  4. I already checked the memory and the payload had the exact same bitness in the target process e.g. calc.exe Thank you again for your prompt response!

VoldeSec avatar Mar 20 '23 16:03 VoldeSec

@VoldeSec - does it work if you try to inject the same shellcode to the same process, but using injector32/64 (from the pe2shc release package)?

hasherezade avatar Mar 20 '23 16:03 hasherezade

@hasherezade Yes, it works by using the injector to inject (e.g. calc.exe and other PE to output file for PoC) remote process (i.e. cmd.exe)

VoldeSec avatar Mar 20 '23 16:03 VoldeSec

I see, so if the shellcode works, and it can be injected with the original injector, then it seems to be a problem with your replacement injector. BTW, using module_overloading method for shellcode injection sounds odd, but I will need to analyze your code to really know what happens there.

hasherezade avatar Mar 20 '23 17:03 hasherezade

I have invited you in wire for further discussion. I am glad if you have time to give recommendation on the code. Thanks!

VoldeSec avatar Mar 20 '23 17:03 VoldeSec

ok, I accepted your invite. Let's talk on Wire.

hasherezade avatar Mar 20 '23 21:03 hasherezade

休眠远程线程

bird00101011 avatar Jun 14 '24 09:06 bird00101011