Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use functions 'RhCreateStealthRemoteThread' to inject dll failed. #159

Closed
slivermeteor opened this issue Dec 9, 2016 · 7 comments
Closed

Use functions 'RhCreateStealthRemoteThread' to inject dll failed. #159

slivermeteor opened this issue Dec 9, 2016 · 7 comments
Labels
bug

Comments

@slivermeteor
Copy link

slivermeteor commented Dec 9, 2016
edited
Loading

Recent day, I'm studying the EasyHook to installing a remote hook using EasyHook with C++.
But when I complete the function 'RhCreateStealthRemoteThread' and try to use it to install a remote hook, I find it can't work correctly. So I use the Windbg to debug the funtion. In the file 'HookSpecific_x64.asm', I find a bug in the functions 'StealthStub_ASM_x64'.
image
I think should use rbx to replac ebx.
@justinstenning
Copy link
Member

@slivermeteor did you have a chance to test that change? Did it work correctly for 64-bit targets?

@slivermeteor
Copy link
Author

slivermeteor commented Dec 12, 2016 via email
edited
Loading

@slivermeteor
Copy link
Author

@spazzarama hello,do you still pay attention to this issuse. I have try to use the EasyHook original code to compile the Easyhook64.dll, then try to use it to install a remote hook.At the win7 64-bit to hook 64-bit targets,although the 'NativeInjectionEntryPoint' can be call success, the target will trash when it come back the old rip. At the win10 64-bit, it will tarsh in the 'WaitForSingleObject' at the 'StealthStub_ASM_x64' proc.So I think it is a bug of EasyHook.

@slivermeteor
Copy link
Author

slivermeteor commented Dec 15, 2016
edited
Loading

Hi, I have fix the problem.At the 'StealthStub_ASM_x64' function, when it call CreateThread, because the fastcall, we need to passthe last two parametes use push.
image
But the problem on this, 'mov qword ptr[rsp + 32], 0' this asm code overwrite the old rsp value!!!
So when we back the old eip, when it use pop or any other asm code what try to get data form stack, it's data have been writed to zero beacuse of our error operate.
I have change the asm code and add two member variables to save the old stack data.
image
image
It work correctly in both of win7x64 and win10x64 to a 64-bits target.

@justinstenning
Copy link
Member

@slivermeteor thanks for posting your update. I'll test out your changes here as well.

@slivermeteor slivermeteor reopened this Dec 18, 2016
justinstenning added a commit that referenced this issue Dec 18, 2016
@justinstenning
RhCreateStealthRemoteThread now working for x64 (Fixes #91, Fixes #159)
73b210c
@justinstenning
Copy link
Member

@slivermeteor thanks for you efforts in tracking this one down. I've tested the fix and it seems to work fine here too. Changes are committed to the develop branch.

@slivermeteor
Copy link
Author

@spazzarama It's my pleasure that I can make a little contribution to this project. Since this bug was fixed, I will close this issuse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinstenning @slivermeteor