The goal is to load the injection dll into any process without much prior knowledge about it. The process doesn't get a chance to start WinMain as its being created with the CREATE_SUSPENDED flag.
My DLL definitely does not cause the thread creation, as when I run CreateRemoteThread with LoadLibraryA and an invalid path the same behavior manifests, minus the thread for my DLL as it terminates instantly.
When I use my DLL in sandboxie (instructed to inject it) it works fine but sandboxie does not use CreateRemoteThread it just hijacks the main thread.
I would like to use it also without sandboxie, but the simple approach with CREATE_SUSPENDED and CreateRemoteThread seams to have unwanted side-effects.
PS: I also tried calling CreateRemoteThread fo the function Sleep with a 10 sec delay, with the same effect, my thread gets created, this time it just waits 10 sec and terminated, but also these strange 3 threads appear.
Also tried a mostly clean test VM.
My suspicion is that for whatever reason CreateRemoteThread (or NtCreateThreadEx) ends up triggering something that adds this additional threads.
Last edited by DavidXanatos; 06-05-2020 at 00:53.
|