|
|
|
|
#1
06-05-2020, 00:44
|
|||
|
|||
|
The goal is to load the injection dll into any process without much prior knowledge about it. The process doesn't get a chance to start WinMain as its being created with the CREATE_SUSPENDED flag.
My DLL definitely does not cause the thread creation, as when I run CreateRemoteThread with LoadLibraryA and an invalid path the same behavior manifests, minus the thread for my DLL as it terminates instantly. When I use my DLL in sandboxie (instructed to inject it) it works fine but sandboxie does not use CreateRemoteThread it just hijacks the main thread. I would like to use it also without sandboxie, but the simple approach with CREATE_SUSPENDED and CreateRemoteThread seams to have unwanted side-effects. PS: I also tried calling CreateRemoteThread fo the function Sleep with a 10 sec delay, with the same effect, my thread gets created, this time it just waits 10 sec and terminated, but also these strange 3 threads appear. Also tried a mostly clean test VM. My suspicion is that for whatever reason CreateRemoteThread (or NtCreateThreadEx) ends up triggering something that adds this additional threads. Last edited by DavidXanatos; 06-05-2020 at 00:53. 
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Strange RSA modulus N value | TempoMat | General Discussion | 8 | 12-22-2017 10:36 |
Hybrid Mode
