Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-04-2020, 23:35
DavidXanatos DavidXanatos is online now
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
Strange question about CreateRemoteThread

Hi,

I have noticed that when I create a process in a suspended state and use CreateRemoteThread to load a dll (using LoadLibraryA) into that process, after the call to CreateRemoteThread even when the dllmain o the library is set to do nothing in addition to the 1 main thread and the one on purpose created thread I see 3 more appear with the start address ntdll.dll!RtlInitializeResource+0x410 why?!
And can I somehow avoid that?
Reply With Quote
  #2  
Old 06-04-2020, 23:56
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 531
Rept. Given: 5
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 442
Thanks Rcvd at 793 Times in 370 Posts
chants Reputation: 35
Are you sure there are no statically loaded DLLs into that process that are creating the threads either from the original process or loaded DLL? There can be lots of DLLMain codes running in that process not to mention the one WinMain. You probably have to check the DLL import list recursively from the process and for your injected DLL.
Reply With Quote
  #3  
Old 06-05-2020, 00:44
DavidXanatos DavidXanatos is online now
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
The goal is to load the injection dll into any process without much prior knowledge about it. The process doesn't get a chance to start WinMain as its being created with the CREATE_SUSPENDED flag.
My DLL definitely does not cause the thread creation, as when I run CreateRemoteThread with LoadLibraryA and an invalid path the same behavior manifests, minus the thread for my DLL as it terminates instantly.

When I use my DLL in sandboxie (instructed to inject it) it works fine but sandboxie does not use CreateRemoteThread it just hijacks the main thread.

I would like to use it also without sandboxie, but the simple approach with CREATE_SUSPENDED and CreateRemoteThread seams to have unwanted side-effects.

PS: I also tried calling CreateRemoteThread fo the function Sleep with a 10 sec delay, with the same effect, my thread gets created, this time it just waits 10 sec and terminated, but also these strange 3 threads appear.
Also tried a mostly clean test VM.
My suspicion is that for whatever reason CreateRemoteThread (or NtCreateThreadEx) ends up triggering something that adds this additional threads.

Last edited by DavidXanatos; 06-05-2020 at 00:53.
Reply With Quote
  #4  
Old 06-05-2020, 01:47
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 365
Rept. Given: 9
Rept. Rcvd 13 Times in 11 Posts
Thanks Given: 19
Thanks Rcvd at 80 Times in 37 Posts
WhoCares Reputation: 13
Just google "ntdll.dll!RtlInitializeResource+0x410", you will find it may be related to Windows Search. Most of them are complaining about high CPU utilization.

for example(with stacktrace):
https://forums.stardock.com/495882/start10-is-adding-25-cpu-usage-with-every-search
__________________
AKA Solomon/blowfish.
Reply With Quote
  #5  
Old 06-05-2020, 02:25
Archer's Avatar
Archer Archer is offline
retired
 
Join Date: Aug 2005
Posts: 227
Rept. Given: 1
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 2
Thanks Rcvd at 343 Times in 49 Posts
Archer Reputation: 30
When a thread is started (doesn't really matter, main or injected yours), the process has to be initialized including loading DLLs and some standard DLLs may create threads.
Reply With Quote
  #6  
Old 06-05-2020, 04:05
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 146
Rept. Given: 39
Rept. Rcvd 19 Times in 9 Posts
Thanks Given: 34
Thanks Rcvd at 50 Times in 38 Posts
nulli Reputation: 19
I'm guessing you're using Windows 10? Where the Windows PE Image Loader uses the thread pool to parallel load images.

You can disable parallel loading in the registry and retry for fun (not profit):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FILENAME.exe]
"MaxLoaderThreads"=dword:00000001

Note that you have to replace the 'FILENAME.exe' key with whatever is the file name of the target.

You could also set the value in the targets PEB (untested):
PEB.ProcessParameters.LoaderThreads = 1
Reply With Quote
The Following 2 Users Say Thank You to nulli For This Useful Post:
DavidXanatos (06-05-2020), tonyweb (06-07-2020)
  #7  
Old 06-05-2020, 17:37
DavidXanatos DavidXanatos is online now
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
this LoaderThreads stuff sounds like its the cause of my issues: https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684

lets see if I can do something against it without modifying the registry.
Reply With Quote
  #8  
Old 06-05-2020, 18:43
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 146
Rept. Given: 39
Rept. Rcvd 19 Times in 9 Posts
Thanks Given: 34
Thanks Rcvd at 50 Times in 38 Posts
nulli Reputation: 19
Quote:
Originally Posted by DavidXanatos View Post
this LoaderThreads stuff sounds like its the cause of my issues: https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684

lets see if I can do something against it without modifying the registry.
I already mentioned another option that doesnt involves the registry in my post:
"You could also set the value in the targets PEB (untested):
PEB.ProcessParameters.LoaderThreads = 1"
Reply With Quote
  #9  
Old 06-05-2020, 19:18
DavidXanatos DavidXanatos is online now
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
Yes I saw that, and it seams to work

Code:
	PROCESS_BASIC_INFORMATION basicInfo;
	if (NT_SUCCESS(NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL)) && basicInfo.PebBaseAddress != 0)
	{
		PEB peb;
		NTSTATUS status = ReadProcessMemory(pi.hProcess, basicInfo.PebBaseAddress, &peb, sizeof(PEB), NULL);

		BYTE ProcessParameters[1040];
		status = ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);

		const int LoaderThreads = 1036; // FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, LoaderThreads);
		*((ULONG*)(ProcessParameters + LoaderThreads)) = 1; // disable parallel loading

		status = WriteProcessMemory(pi.hProcess, peb.ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), NULL);
	}
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
tonyweb (06-07-2020)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 05:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )