Use functions 'RhCreateStealthRemoteThread' to inject dll failed. #159

Closed
slivermeteor opened this Issue Dec 9, 2016 · 7 comments

Comments

Projects
None yet
2 participants
@slivermeteor

slivermeteor commented Dec 9, 2016

Recent day, I'm studying the EasyHook to installing a remote hook using EasyHook with C++.
But when I complete the function 'RhCreateStealthRemoteThread' and try to use it to install a remote hook, I find it can't work correctly. So I use the Windbg to debug the funtion. In the file 'HookSpecific_x64.asm', I find a bug in the functions 'StealthStub_ASM_x64'.
image
I think should use rbx to replac ebx.

@spazzarama

This comment has been minimized.

Show comment
Hide comment
@spazzarama

spazzarama Dec 11, 2016

Member

@slivermeteor did you have a chance to test that change? Did it work correctly for 64-bit targets?

Member

spazzarama commented Dec 11, 2016

@slivermeteor did you have a chance to test that change? Did it work correctly for 64-bit targets?

@slivermeteor

This comment has been minimized.

Show comment
Hide comment
@slivermeteor

slivermeteor Dec 12, 2016

slivermeteor commented Dec 12, 2016

@slivermeteor

This comment has been minimized.

Show comment
Hide comment
@slivermeteor

slivermeteor Dec 15, 2016

@spazzarama hello,do you still pay attention to this issuse. I have try to use the EasyHook original code to compile the Easyhook64.dll, then try to use it to install a remote hook.At the win7 64-bit to hook 64-bit targets,although the 'NativeInjectionEntryPoint' can be call success, the target will trash when it come back the old rip. At the win10 64-bit, it will tarsh in the 'WaitForSingleObject' at the 'StealthStub_ASM_x64' proc.So I think it is a bug of EasyHook.

@spazzarama hello,do you still pay attention to this issuse. I have try to use the EasyHook original code to compile the Easyhook64.dll, then try to use it to install a remote hook.At the win7 64-bit to hook 64-bit targets,although the 'NativeInjectionEntryPoint' can be call success, the target will trash when it come back the old rip. At the win10 64-bit, it will tarsh in the 'WaitForSingleObject' at the 'StealthStub_ASM_x64' proc.So I think it is a bug of EasyHook.

@slivermeteor

This comment has been minimized.

Show comment
Hide comment
@slivermeteor

slivermeteor Dec 15, 2016

Hi, I have fix the problem.At the 'StealthStub_ASM_x64' function, when it call CreateThread, because the fastcall, we need to passthe last two parametes use push.
image
But the problem on this, 'mov qword ptr[rsp + 32], 0' this asm code overwrite the old rsp value!!!
So when we back the old eip, when it use pop or any other asm code what try to get data form stack, it's data have been writed to zero beacuse of our error operate.
I have change the asm code and add two member variables to save the old stack data.
image
image
It work correctly in both of win7x64 and win10x64 to a 64-bits target.

slivermeteor commented Dec 15, 2016

Hi, I have fix the problem.At the 'StealthStub_ASM_x64' function, when it call CreateThread, because the fastcall, we need to passthe last two parametes use push.
image
But the problem on this, 'mov qword ptr[rsp + 32], 0' this asm code overwrite the old rsp value!!!
So when we back the old eip, when it use pop or any other asm code what try to get data form stack, it's data have been writed to zero beacuse of our error operate.
I have change the asm code and add two member variables to save the old stack data.
image
image
It work correctly in both of win7x64 and win10x64 to a 64-bits target.

@spazzarama

This comment has been minimized.

Show comment
Hide comment
@spazzarama

spazzarama Dec 16, 2016

Member

@slivermeteor thanks for posting your update. I'll test out your changes here as well.

Member

spazzarama commented Dec 16, 2016

@slivermeteor thanks for posting your update. I'll test out your changes here as well.

@spazzarama

This comment has been minimized.

Show comment
Hide comment
@spazzarama

spazzarama Dec 18, 2016

Member

@slivermeteor thanks for you efforts in tracking this one down. I've tested the fix and it seems to work fine here too. Changes are committed to the develop branch.

Member

spazzarama commented Dec 18, 2016

@slivermeteor thanks for you efforts in tracking this one down. I've tested the fix and it seems to work fine here too. Changes are committed to the develop branch.

@slivermeteor

This comment has been minimized.

Show comment
Hide comment
@slivermeteor

slivermeteor Dec 18, 2016

@spazzarama It's my pleasure that I can make a little contribution to this project. Since this bug was fixed, I will close this issuse.

@spazzarama It's my pleasure that I can make a little contribution to this project. Since this bug was fixed, I will close this issuse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment