Open abdullah2993 opened 5 years ago
i have some problem too. x64 sometime works bad. but you can run x86 pe in x64 process.
I haven't tried it on x86 but currently on x64 it is unable to inject
notepad.exe
intocalc.exe
other combinations works as shown Payload Target Success Calc.exe Calc.exe Sucess Calc.exe notepad.exe Fails notepad.exe Calc.exe Sucess notepad.exe notepad.exe SucessI have the same problem with my implementation and i'm unable to find the reason for it
not exactly sure what your issue is _specifically_, but if you're using suspendthread/setthreadcontext/resumethread on a process with a gui thread (as-if you're trying to steal a timeslice from a thread that doesn't belong to you and has other resources attached to it). keep in mind that messages can be queued to the thread prior to it executing your actual context. there's a comment at the end of https://zerosum0x0.blogspot.com/2017/07/threadcontinue-reflective-injection.html with a link which describes what I encountered back then while writing similar toys.
one way to test is to first verify if it works on both a non-gui and non-console process, and then once that's confirmed see if delivering various types of window messages (mouse will work) influences the stability or leaves any "droppings" below your target's stack pointer. you can try setting the program counter pointing at an empty loop or a breakpoint.
(also if you're linking other libraries into the address space, keep in mind that your export directory can contain a forward if its rva points within the directory)
if you have problems with running a manually loaded instance of notepad it may be related to the properties of notepad itself (rather than any issue with the loader) more about it in this thread: https://github.com/hasherezade/libpeconv/issues/44
I haven't tried it on x86 but currently on x64 it is unable to inject
notepad.exe
intocalc.exe
other combinations works as shownI have the same problem with my implementation and i'm unable to find the reason for it