Reflective DLL Injection - AV detects at runtime

Hi @dtm

I’ve tried injecting using QueueUserAPC. It works, but the target process crashes sometimes.

Is there any way I can get the details (like the Stack) of the enumerated threads of a target process? I was hoping that we can target better which threads we can inject if we have some useful info about the thread.

And, what information can I extract from the CONTEXT of a thread?

Thank you

…in connection with the above comment…

In the Process Explorer, we can see the threads of a process, and also the stack of the thread, that shows which DLL functions are associated with which thread.

E.g., thread no. 6068 has its start address at WINMM.dll!timeEndPeriod+0x147

Is it possible to get this data from inside Visual Studio? I believe it is possible because Process Explorer is doing it. But how? How do we get the start address associated with a ThreadId?

pex

The CONTEXT struct can be found here: https://www.nirsoft.net/kernel_struct/vista/CONTEXT.html

typedef struct _CONTEXT
{
     ULONG ContextFlags;
     ULONG Dr0;
     ULONG Dr1;
     ULONG Dr2;
     ULONG Dr3;
     ULONG Dr6;
     ULONG Dr7;
     FLOATING_SAVE_AREA FloatSave;
     ULONG SegGs;
     ULONG SegFs;
     ULONG SegEs;
     ULONG SegDs;
     ULONG Edi;
     ULONG Esi;
     ULONG Ebx;
     ULONG Edx;
     ULONG Ecx;
     ULONG Eax;
     ULONG Ebp;
     ULONG Eip;
     ULONG SegCs;
     ULONG EFlags;
     ULONG Esp;
     ULONG SegSs;
     UCHAR ExtendedRegisters[512];
} CONTEXT, *PCONTEXT;

which contains the “context” of the thread. From here, I assume you can find the stack information.

As for the start address, you can try something like this: https://stackoverflow.com/questions/11147846/how-to-retrieve-starting-address-of-a-thread-in-windows. Personally, I’ve never done this before so I cannot confirm anything.

This topic was automatically closed after 30 days. New replies are no longer allowed.