Exetools - View Single Post - Strange question about CreateRemoteThread

DavidXanatos · #9 06-05-2020, 19:18

Yes I saw that, and it seams to work

Code:

	PROCESS_BASIC_INFORMATION basicInfo;
	if (NT_SUCCESS(NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL)) && basicInfo.PebBaseAddress != 0)
	{
		PEB peb;
		NTSTATUS status = ReadProcessMemory(pi.hProcess, basicInfo.PebBaseAddress, &peb, sizeof(PEB), NULL);

		BYTE ProcessParameters[1040];
		status = ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);

		const int LoaderThreads = 1036; // FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, LoaderThreads);
		*((ULONG*)(ProcessParameters + LoaderThreads)) = 1; // disable parallel loading

		status = WriteProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);
	}

The Following User Says Thank You to DavidXanatos For This Useful Post:
tonyweb (06-07-2020)