Open Ou7law007 opened 2 years ago
Hi.
Perhaps you're interested in reproducing this https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf ? I am looking for a way to inject a DLL into the cloned process which also requires you to create a thread. As soon as I find some more time I try to figure it out. It's probably something undocumented as usually. If I find the solution. I'll very likely post the solution on my GitHub. I already reproduced a lot of DirtyVanity's PDF in my kernel driver and C++ DLL.
Yes good article. Thanks for that. Also when I searched for related material, above PDF is the best I found.
Here is some recent work of mine and windows internals research https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask
I've been looking for an answer to this for a while. Do you have any idea as to why it is not possible to create a thread inside a process created by NtCreateProcess(Ex)? I guess unless it was created using a section handle or an executable etc... The raw creation of a process where a handle to the target or NULL is passed as ParentProcess doesn't allow a thread to be created.
Thanks for the article https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/#forking-your-own-process