A brief on using CreateRemoteThread

2004-12-14   gr1x(c)

In "Programming Applications for Microsoft Windows 4th", Jeffery Richter used Remote Threads to inject a dll into another process's address space. He tansfered LoadLibrary's address into remote thread and let remote thread to load a dll we wrote(may be a trojan dll :-) ), As we create that thread ourselves, we cann't count on the compiler&linker has prepared the referenced functions' addresses well in the remote process's import section's thunk area(refer PE format specification), which means we have to get every function address we'll use in remote thread within the injected process address space,  Jeffery told us to use GetProcAddress, howerver what GetProcAddress returns is just the address of function within our own process address space, how can we make sure that address will stay the same with remote process? Jeffery said that “Kernel32.dll is mapped to the same memory location in both the local and the remote processes' address spaces”,why same? I think as for efficiency consideration(relocation is a horrible process), Microsoft may has ran Rebase on all the operating system-supplied files before shipping Windows or has allocated a non-overlapped prefered address for these system-supplied fils so that none of the operating system modules overlap once mapping them all into a single address space, so now we can count on that majority of system functions' memory location would be the same. 

To make this explaination simple, think that if we've wrote a dll, and we're sure the remote process and our own process all have loaded that dll in same memory location, surely we  can play this magic trick. Luckily , nearly every process will load kernle32.dll and user32.dll,isn't it a great relief:) Just think about the tedious work in virous for searching the base address of kernel32.dll  and its export section for function GetProcAddress's address. A interesting question arises, why does virous have to do that awful work,why don't use the above talking attribute? Personally, I think firstly Windows version varries so function memory location varies; Second,Virus code are normally injected into EXE files and changes the entry point to point to itself so virus can start running before original EXE's code, it doesn't have the  luxurios environment as we are now: tow running process in the same host, one for injecting and one being injected, as it doesn't know anything about the infected host. Anyway, some early virus just hardcoded the function address in code so they are not portable accross different platform.(Here, I must declare I know little about virus, just correct me if I'm wrong). 

Sorry, just run such far away from the topic, following is the code snippet which create a remote thread to pop a messagebox periodlly:

1. // zombie.cpp :
2. // Usage: Zombie(szMessage,szTitle);
3. #include "zombie.h"
4. #pragma comment(lib, "Psapi.lib")
6. #define UNICODE
7. #define _UNICODE
8. #define _RemoteProcess                   
9. typedef struct _remoteparameter
10. {
11.  DWORD       _OututDebugstring;
12.  DWORD       _Sleep;
13.  DWORD       _MessageBox;
14.  TCHAR       szMessage[100];
15.  TCHAR       szTitle[20];
16.  TCHAR       szMessageBoxError[30];
17.  TCHAR       szDebugEnterRemote[30];
18.  TCHAR       szDebugExitRemote[30];  
19. }REMOTEPARAMETER, *PREMOTEPARAMETER;
21. TCHAR szModuleName[MAX_PATH];
24. DWORD Process2ID(TCHAR *);
25. DWORD WINAPI RemoteThread(LPVOID);
26. BOOL   Zombie(TCHAR * szMessage,TCHAR * szTitle)
27. {
28.  MessageBox(NULL,szMessage,szTitle,MB_OK);
29.  GetModuleFileName(NULL,szModuleName,MAX_PATH);
30.  MessageBox(NULL,szModuleName,"Module",MB_OK);
31.  HANDLE            RThread;
32.  HANDLE            RemoteModuleHandle;
33.  TCHAR             RemoteModuleName[2][15];
34.  TCHAR             *RemotePageBaseAddr;
35.  TCHAR             *RemoteParaBaseAddr;
36.  DWORD             RemotePID;
37.  int               nPageSize;
38.  int               signal;
39.  HINSTANCE         hKernel32,hUser32;
40.  REMOTEPARAMETER   remotepara;
42.  _tcscpy(RemoteModuleName[0],_T("Explorer.exe"));
43.  _tcscpy(RemoteModuleName[1],_T("Taskmgr.exe"));
44.  signal=1;
45.  while(1)
46.  {
47.   RemotePID=Process2ID(RemoteModuleName[(++signal)%2]);
48.   if(RemotePID==-1)
49.   {
50.    return NULL;
51.   }
52.   else if(RemotePID==0)
53.   {
54.    if(signal%2==0)
55.    {
56.     OutputDebugString(_T("Remote Process Explorer isn't running/n"));
57.    }
58.    else
59.    {
60.     OutputDebugString(_T("Remote Process Taskmgr isn't running/n"));
61.    }
62.    Sleep(1000);
63.    continue;
64.   }
65.   RemoteModuleHandle=OpenProcess(PROCESS_CREATE_THREAD |    
66.    PROCESS_VM_OPERATION  |    
67.    PROCESS_VM_WRITE,          
68.    FALSE,RemotePID);
69.   if(RemoteModuleHandle==NULL)
70.   {
71.    Sleep(1000);
72.    continue;
73.   }
74.   else
75.   {
76.    break;
77.   }
78.  }
80.  nPageSize=sizeof(TCHAR)*4*1024;
81.  RemotePageBaseAddr=(PTSTR)VirtualAllocEx(RemoteModuleHandle,NULL,nPageSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
82.  if(RemotePageBaseAddr==NULL)
83.  {
84.   OutputDebugString(_T("VirtualAllocEx for Thread Error/n"));
85.   CloseHandle(RemoteModuleHandle);      
86.   return NULL;
87.  }
88.  if(WriteProcessMemory(RemoteModuleHandle,RemotePageBaseAddr,(LPVOID)RemoteThread,nPageSize,NULL)==FALSE)
89.  {
90.   OutputDebugString(_T("WriteProcessMemory for Thread Error/n"));
91.   CloseHandle(RemoteModuleHandle);
92.   return NULL;
93.  }
94.  memset(&remotepara,0,sizeof(remotepara));
95.  _tcscpy(remotepara.szDebugEnterRemote,_T("Hello,Magic World!/n"));
96.  _tcscpy(remotepara.szMessageBoxError,_T("MessageBox() Error/n"));
97.  _tcscpy(remotepara.szDebugExitRemote,_T("Bye,Cruel World!/n"));
98.  _tcscpy(remotepara.szMessageBoxError,_T("Sleep() Error/n"));
99.  _tcscpy(remotepara.szMessage,szMessage);
100.  _tcscpy(remotepara.szTitle,szTitle);
101.  hKernel32=GetModuleHandle(_T("kernel32.dll"));
102.  hUser32=GetModuleHandle(_T("user32.dll"));
103.  remotepara._OututDebugstring=(DWORD)GetProcAddress(hKernel32,"OutputDebugStringW");
104.  remotepara._MessageBox=(DWORD)GetProcAddress(hUser32,"MessageBoxExA");
105.  remotepara._Sleep=(DWORD)GetProcAddress(hKernel32,"Sleep");
108.  nPageSize=sizeof(TCHAR)*sizeof(remotepara);
109.  RemoteParaBaseAddr=(PTSTR)VirtualAllocEx(RemoteModuleHandle,NULL,nPageSize,MEM_COMMIT,PAGE_READWRITE);
110.  if(RemoteParaBaseAddr==NULL)
111.  {
112.   OutputDebugString(_T("VirtualAllocEx for Parameter Error/n"));
113.   CloseHandle(RemoteModuleHandle);
114.   return NULL;
115.  }
117.  if(WriteProcessMemory(RemoteModuleHandle,RemoteParaBaseAddr,(LPVOID)&remotepara,nPageSize,NULL)==FALSE)
118.  {
119.   OutputDebugString(_T("WriteProcessMemory for Parameter Error:"));
120.   CHAR szBuf[80];
121.   DWORD dw = GetLastError();
122.      sprintf(szBuf, "WriteProcessMemory failed: GetLastError returned %u/n", dw);
123.      MessageBox(NULL, szBuf, "Error", MB_OK);
124.   CloseHandle(RemoteModuleHandle);
125.   return NULL;
126.  }
129.  RThread=CreateRemoteThread(RemoteModuleHandle,NULL,0,(LPTHREAD_START_ROUTINE)RemotePageBaseAddr,(LPVOID)RemoteParaBaseAddr,0,NULL);
130.  if(RThread==NULL)
131.  {
132.   OutputDebugString(_T("CreateRemoteThread Error/n"));
133.   CloseHandle(RemoteModuleHandle);
134.   return NULL;
135.  }
136.  return true;
137. }
139. DWORD Process2ID(TCHAR *processname)
140. {
141.  DWORD    lpidprocesses[1024],cbneeded,cprocesses;
142.  HANDLE   hprocess;
143.  HMODULE  hmodule;
144.  UINT     i;
145.  TCHAR    normalname[MAX_PATH]=_T("UnknownProcess");
147.  if(!EnumProcesses(lpidprocesses,sizeof(lpidprocesses),&cbneeded))
148.  {
149.   OutputDebugString(_T("EnumProcesses Error/n"));
150.   return -1; 
151.  }
152.  cprocesses=cbneeded/sizeof(DWORD);
153.  for(i=0;i<cprocesses;i++)
154.  {
155.   hprocess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,lpidprocesses[i]);
156.   if(hprocess)
157.   {
158.    if(EnumProcessModules(hprocess,&hmodule,sizeof(hmodule),&cbneeded))
159.    {
160.     GetModuleBaseName(hprocess,hmodule,normalname,sizeof(normalname));
161.     if(!_tcsicmp(normalname,processname)) 
162.     {
163.      CloseHandle(hprocess);
164.      return (lpidprocesses[i]);
165.     }
166.    }
167.   }
169.  }
170.  CloseHandle(hprocess);
171.  return 0;
172. }
175. DWORD WINAPI RemoteThread(LPVOID pvparam)
176. {
177.  PREMOTEPARAMETER pRemotePara=(PREMOTEPARAMETER)pvparam;
178.  int errorcode;
179.  typedef VOID   (WINAPI *OUTPUTDEBUGSTRING)(LPCTSTR);
180.  typedef VOID (WINAPI *SLEEP)(DWORD);
181.  typedef int (WINAPI *MESSAGEBOX)(HWND,LPCTSTR,LPCTSTR,UINT,WORD);
182.  OUTPUTDEBUGSTRING   _OutputDebugString;
183.  SLEEP         _Sleep;
184.  MESSAGEBOX _MessageBox;
186.  _OutputDebugString=(OUTPUTDEBUGSTRING)pRemotePara->_OututDebugstring;
187.  _Sleep=(SLEEP)pRemotePara->_Sleep;
188.  _MessageBox=(MESSAGEBOX)pRemotePara->_MessageBox;
190.  _OutputDebugString(pRemotePara->szDebugEnterRemote);
191.  while(1)
192.  {
193.   errorcode=_MessageBox(NULL,pRemotePara->szMessage,pRemotePara->szTitle,MB_ICONWARNING,0);
194.   if(errorcode==0)
195.   {
196.    _OutputDebugString(pRemotePara->szMessageBoxError);
197.    return -1;
198.   }
199.   _Sleep(1000*10);
200.  }
201.  return 0;
202. }