Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Strange question about CreateRemoteThread
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-05-2020, 17:37
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
this LoaderThreads stuff sounds like its the cause of my issues: https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684

lets see if I can do something against it without modifying the registry.
Reply With Quote
  #2  
Old 06-05-2020, 18:43
nulli nulli is offline
VIP
  
Join Date: Nov 2003
Posts: 176
Rept. Given: 42
Rept. Rcvd 22 Times in 12 Posts
Thanks Given: 63
Thanks Rcvd at 84 Times in 56 Posts
nulli Reputation: 22
Quote:
Originally Posted by DavidXanatos View Post
this LoaderThreads stuff sounds like its the cause of my issues: https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684

lets see if I can do something against it without modifying the registry.
I already mentioned another option that doesnt involves the registry in my post:
"You could also set the value in the targets PEB (untested):
PEB.ProcessParameters.LoaderThreads = 1"
Reply With Quote
  #3  
Old 06-05-2020, 19:18
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
Yes I saw that, and it seams to work

Code:
	PROCESS_BASIC_INFORMATION basicInfo;
	if (NT_SUCCESS(NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL)) && basicInfo.PebBaseAddress != 0)
	{
		PEB peb;
		NTSTATUS status = ReadProcessMemory(pi.hProcess, basicInfo.PebBaseAddress, &peb, sizeof(PEB), NULL);

		BYTE ProcessParameters[1040];
		status = ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);

		const int LoaderThreads = 1036; // FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, LoaderThreads);
		*((ULONG*)(ProcessParameters + LoaderThreads)) = 1; // disable parallel loading

		status = WriteProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);
	}
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
tonyweb (06-07-2020)
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange RSA modulus N value TempoMat General Discussion 8 12-22-2017 10:36


All times are GMT +8. The time now is 01:15.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )