Regarding CreateRemoteThread
-
Hi I am trying create a remote thread using ::CreateRemoteThread API. I am able to open the remote process (with PROCESS_ALL_ACCESS), and allocate the memory and write the function code successfully. But, when i try to create remote thread, the remote process is crashing. Pls give some points, where it may go wrong?
-
Hi I am trying create a remote thread using ::CreateRemoteThread API. I am able to open the remote process (with PROCESS_ALL_ACCESS), and allocate the memory and write the function code successfully. But, when i try to create remote thread, the remote process is crashing. Pls give some points, where it may go wrong?
ramana.g wrote:
Pls give some points, where it may go wrong?
I have no experience with that API, but here is something they hid in the documentation: Note that CreateRemoteThread may succeed even if lpStartAddress points to data, code, or is not accessible. If the start address is invalid when the thread runs, an exception occurs, and the thread terminates. Thread termination due to a invalid start address is handled as an error exit for the thread's process.
-
ramana.g wrote:
Pls give some points, where it may go wrong?
I have no experience with that API, but here is something they hid in the documentation: Note that CreateRemoteThread may succeed even if lpStartAddress points to data, code, or is not accessible. If the start address is invalid when the thread runs, an exception occurs, and the thread terminates. Thread termination due to a invalid start address is handled as an error exit for the thread's process.
In other words they do no checking whatsoever on the start address parameter. When the remote thread starts the infrastructure will use a CALL instruction to call the supplied start address, and if you're lucky the processor will generate a page fault hardware exception straight away. The OS will turn that into an access violation exception since there's no suitable page mapping, it'll go looking for an exception handler, not find one, and call the process's unhandled exception filter. Typically that will kill the process. If unlucky your address will point to some data and it'll run for a while before it encounters a bit pattern not matching a valid instruction, or the data being interpreted as code tries to touch invalid memory, or it trashes some other pointer in the real program code which causes a crash. It's very difficult to examine a pointer to determine whether it really points to valid code, simply because the range of valid instructions is so vast. A human might be able to spot that the sequence of instructions doesn't make sense and deduce that it's really data, but building in a complete heuristic engine to work that out is not worthwhile.
DoEvents: Generating unexpected recursion since 1991 -
In other words they do no checking whatsoever on the start address parameter. When the remote thread starts the infrastructure will use a CALL instruction to call the supplied start address, and if you're lucky the processor will generate a page fault hardware exception straight away. The OS will turn that into an access violation exception since there's no suitable page mapping, it'll go looking for an exception handler, not find one, and call the process's unhandled exception filter. Typically that will kill the process. If unlucky your address will point to some data and it'll run for a while before it encounters a bit pattern not matching a valid instruction, or the data being interpreted as code tries to touch invalid memory, or it trashes some other pointer in the real program code which causes a crash. It's very difficult to examine a pointer to determine whether it really points to valid code, simply because the range of valid instructions is so vast. A human might be able to spot that the sequence of instructions doesn't make sense and deduce that it's really data, but building in a complete heuristic engine to work that out is not worthwhile.
DoEvents: Generating unexpected recursion since 1991 -
Hi I am trying create a remote thread using ::CreateRemoteThread API. I am able to open the remote process (with PROCESS_ALL_ACCESS), and allocate the memory and write the function code successfully. But, when i try to create remote thread, the remote process is crashing. Pls give some points, where it may go wrong?
ramana.g wrote:
the remote process is crashing
How? Where? You must provide details of the crash! We're no psychic!
Steve