public static extern unsafe uint CreateThread(
uint *lpThreadAttributes,
uint dwStackSize,
ThreadStart lpStartAddress,
uint *lpParameter,
ThreadCreationFlags dwCreationFlags,
out uint lpThreadId);
public static IntPtr CreateRemoteThreadEx(
IntPtr handle,
IntPtr threadAttributes,
IntPtr stackSize,
IntPtr startAddress,
IntPtr parameter,
ThreadCreationFlags creationFlags,
IntPtr attributeList,
IntPtr threadId)
{
Ldarg(nameof(handle));
Ldarg(nameof(threadAttributes));
Ldarg(nameof(stackSize));
Ldarg(nameof(startAddress));
Ldarg(nameof(parameter));
Ldarg(nameof(creationFlags));
Ldarg(nameof(attributeList));
Ldarg(nameof(threadId));
Ldsfld(new FieldRef(typeof(Kernel32), nameof(_createRemoteThreadEx)));
Calli(new StandAloneMethodSig(
CallingConvention.StdCall,
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(ThreadCreationFlags),
typeof(IntPtr),
typeof(IntPtr)));
return(IL.Return <IntPtr>());
}
public static SafeMemoryHandle CreateThread(SafeMemoryHandle processHandle,
IntPtr startMethodAddress, IntPtr parameterAddress,
SecurityAttributes threadAttributes = default(SecurityAttributes),
ThreadCreationFlags creationFlags = 0, int stackSize = 0)
{
int threadId;
SafeMemoryHandle threadHandle = Imports.CreateRemoteThread(
processHandle,
ref threadAttributes,
stackSize,
startMethodAddress,
parameterAddress,
creationFlags,
out threadId);
if (threadHandle.IsInvalid)
{
throw new Win32Exception($"[Win32 Error: {Marshal.GetLastWin32Error()}] " +
$"Unable to create thread with " +
$"0x{processHandle.DangerousGetHandle().ToString("X")} using " +
$"0x{startMethodAddress.ToString($"X{IntPtr.Size}")}(0x{parameterAddress.ToString($"X{IntPtr.Size}")}) " +
$"Attributes[InheritHandle: {threadAttributes.InheritHandle}, " +
$"Length: {threadAttributes.Length}, " +
$"SecurityDescriptor: {threadAttributes.SecurityDescriptor.ToString($"X{IntPtr.Size}")}] " +
$"CreationFlags: 0x{creationFlags.ToString("X")} StackSize: {stackSize}");
}
return(threadHandle);
}
public static IntPtr CreateRemoteThread(
IntPtr handle,
IntPtr startAddress,
IntPtr parameter,
ThreadCreationFlags creationFlags,
out uint threadId)
=> Kernel32.CreateRemoteThreadEx(handle, startAddress, parameter, creationFlags, out threadId);
internal static extern SafeMemoryHandle CreateThread(
[In] ref SecurityAttributes lpThreadAttributes,
[Optional] int dwStackSize,
[Optional] IntPtr lpStartAddress,
IntPtr lpParameter,
[Optional] ThreadCreationFlags dwCreationFlags,
[Optional] out int lpThreadId);
public static IntPtr CreateRemoteThread(
IntPtr handle,
IntPtr threadAttributes,
IntPtr stackSize,
IntPtr startAddress,
IntPtr parameter,
ThreadCreationFlags creationFlags,
IntPtr threadId)
=> Kernel32.CreateRemoteThreadEx(handle, threadAttributes, stackSize, startAddress, parameter, creationFlags, IntPtr.Zero, threadId);
public static SafeMemoryHandle CreateRemoteThread(SafeMemoryHandle processHandle, IntPtr startAddress,
IntPtr parameter, ThreadCreationFlags creationFlags = ThreadCreationFlags.Run)
{
var handle = NativeMethods.CreateRemoteThread(processHandle, IntPtr.Zero, 0, startAddress, parameter,
creationFlags, out _);
if (handle.IsInvalid || handle.IsClosed)
{
throw new Win32Exception();
}
return(handle);
}
public static IntPtr CreateRemoteThreadEx(
IntPtr handle,
IntPtr startAddress,
IntPtr parameter,
ThreadCreationFlags creationFlags)
=> CreateRemoteThreadEx(
handle,
IntPtr.Zero, IntPtr.Zero,
startAddress,
parameter,
creationFlags,
IntPtr.Zero, IntPtr.Zero);
public static IntPtr CreateRemoteThreadEx(
IntPtr handle,
IntPtr threadAttributes,
IntPtr stackSize,
IntPtr startAddress,
IntPtr parameter,
ThreadCreationFlags creationFlags,
IntPtr attributeList,
out uint threadId)
{
IL.DeclareLocals(
new LocalVar("localThreadId", typeof(uint)),
new LocalVar("result", typeof(IntPtr)));
threadId = 0u;
Ldloca("localThreadId");
Initobj(typeof(uint));
Ldarg(nameof(handle));
Ldarg(nameof(threadAttributes));
Ldarg(nameof(stackSize));
Ldarg(nameof(startAddress));
Ldarg(nameof(parameter));
Ldarg(nameof(creationFlags));
Ldarg(nameof(attributeList));
Ldloca("localThreadId");
Conv_U();
Ldsfld(new FieldRef(typeof(Kernel32), nameof(_createRemoteThreadEx)));
Calli(new StandAloneMethodSig(
CallingConvention.StdCall,
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(IntPtr),
typeof(ThreadCreationFlags),
typeof(IntPtr),
typeof(uint).MakePointerType()));
Stloc("result");
Ldarg(nameof(threadId));
Ldloc("localThreadId");
Stind_I4();
Ldloc("result");
return(IL.Return <IntPtr>());
}
/// <summary>
/// Creates a thread that runs in the virtual address space of another process.
/// </summary>
/// <param name="processHandle">A handle to the process in which the thread is to be created.</param>
/// <param name="startAddress">A pointer to the application-defined function to be executed by the thread and represents the starting address of the thread in the remote process.</param>
/// <param name="parameter">A pointer to a variable to be passed to the thread function.</param>
/// <param name="creationFlags">The flags that control the creation of the thread.</param>
/// <returns>A handle to the new thread.</returns>
public static SafeMemoryHandle CreateRemoteThread(SafeMemoryHandle processHandle, IntPtr startAddress, IntPtr parameter, ThreadCreationFlags creationFlags = ThreadCreationFlags.Run)
{
// Check if the handles are valid
HandleManipulator.ValidateAsArgument(processHandle, "processHandle");
HandleManipulator.ValidateAsArgument(startAddress, "startAddress");
// Create the remote thread
int threadId;
var ret = NativeMethods.CreateRemoteThread(processHandle, IntPtr.Zero, 0, startAddress, parameter, creationFlags, out threadId);
// If the thread is created
if (!ret.IsClosed && !ret.IsInvalid)
return ret;
// Else couldn't create thread, throws an exception
throw new Win32Exception(string.Format("Couldn't create the thread at 0x{0}.", startAddress.ToString("X")));
}
public RemoteThread CreateThread(IntPtr entrypoint, IntPtr argument, ThreadCreationFlags flags)
{
var result = Kernel32.CreateRemoteThread(Handle,
IntPtr.Zero,
0,
entrypoint,
argument,
flags,
out var id);
if (result == IntPtr.Zero)
{
throw new Win32Exception();
}
return(new RemoteThread(result, id));
}
/// <summary>
/// Creates a thread that runs in the virtual address space of another process.
/// </summary>
/// <param name="processHandle">A handle to the process in which the thread is to be created.</param>
/// <param name="startAddress">
/// A pointer to the application-defined function to be executed by the thread and represents
/// the starting address of the thread in the remote process.
/// </param>
/// <param name="parameter">A pointer to a variable to be passed to the thread function.</param>
/// <param name="creationFlags">The flags that control the creation of the thread.</param>
/// <returns>A handle to the new thread.</returns>
public static SafeMemoryHandle CreateRemoteThread(SafeMemoryHandle processHandle, IntPtr startAddress,
IntPtr parameter, ThreadCreationFlags creationFlags = ThreadCreationFlags.Run)
{
// Check if the handles are valid
HandleManipulator.ValidateAsArgument(processHandle, "processHandle");
HandleManipulator.ValidateAsArgument(startAddress, "startAddress");
// Create the remote thread
var ret = Kernel32.CreateRemoteThread(processHandle, IntPtr.Zero, 0,
startAddress, parameter, creationFlags, out _);
// If the thread is created
if (!ret.IsClosed && !ret.IsInvalid)
{
return(ret);
}
// Else couldn't create thread, throws an exception
throw new Win32Exception($"Couldn't create the thread at 0x{startAddress.ToString("X")}.");
}
private void CallRoutine(RoutineDescriptor routineDescriptor)
{
// Write the shellcode used to perform the function call into a buffer
var shellcodeBlock = Process.GetArchitecture() == Architecture.X86 ? RoutineAssembler.AssembleRoutine32(routineDescriptor) : RoutineAssembler.AssembleRoutine64(routineDescriptor);
var shellcodeBuffer = Process.AllocateBuffer(shellcodeBlock.Length, true);
try
{
Process.WriteArray(shellcodeBuffer, shellcodeBlock);
// Create a thread to execute the shellcode
const AccessMask accessMask = AccessMask.SpecificRightsAll | AccessMask.StandardRightsAll;
const ThreadCreationFlags creationFlags = ThreadCreationFlags.HideFromDebugger | ThreadCreationFlags.SkipThreadAttach;
var ntStatus = Ntdll.NtCreateThreadEx(out var threadHandle, accessMask, IntPtr.Zero, Process.SafeHandle, shellcodeBuffer, IntPtr.Zero, creationFlags, IntPtr.Zero, 0, 0, IntPtr.Zero);
using (threadHandle)
{
if (ntStatus != NtStatus.Success)
{
throw new Win32Exception(Ntdll.RtlNtStatusToDosError(ntStatus));
}
if (Kernel32.WaitForSingleObject(threadHandle, int.MaxValue) == -1)
{
throw new Win32Exception();
}
}
}
finally
{
Process.FreeBuffer(shellcodeBuffer);
}
}
public static extern SafeMemoryHandle CreateRemoteThread(SafeMemoryHandle hProcess, IntPtr lpThreadAttributes,
int dwStackSize, IntPtr lpStartAddress,
IntPtr lpParameter, ThreadCreationFlags dwCreationFlags, out int lpThreadId);
public static extern SafeMemoryHandle CreateRemoteThread(SafeMemoryHandle hProcess, IntPtr lpThreadAttributes,
uint dwStackSize, IntPtr lpStartAddress,
IntPtr lpParameter, ThreadCreationFlags dwCreationFlags, out int lpThreadId);
public static extern IntPtr CreateRemoteThread(IntPtr hProcess,
IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress,
IntPtr lpParameter, ThreadCreationFlags dwCreationFlags, out IntPtr lpThreadId);
internal static extern NtStatus NtCreateThreadEx(out SafeWin32Handle threadHandle, AccessMask accessMask, IntPtr objectAttributes, SafeProcessHandle processHandle, IntPtr startAddress, IntPtr startParameter, ThreadCreationFlags flags, IntPtr zeroBits, int stackSize, int maximumStackSize, IntPtr attributeList);
internal static extern NtStatus NtCreateThreadEx(out SafeThreadHandle threadHandle, int desiredAccess, IntPtr objectAttributes, SafeProcessHandle processHandle, IntPtr startAddress, IntPtr parameter, ThreadCreationFlags creationFlags, int zeroBits, int stackSize, int maximumStackSize, IntPtr attributeList);
public static extern int NtCreateThreadEx(out SafeWaitHandle threadHandle, AccessMask accessMask, PointerEx objectAttributes, PointerEx processHandle, PointerEx startAddress, PointerEx argument, ThreadCreationFlags flags, PointerEx zeroBits, PointerEx stackSize, PointerEx maximumStackSize, IntPtr attributeList);
internal static extern IntPtr CreateRemoteThread(IntPtr h, IntPtr thread_attrs,
int stack_size, IntPtr start_addr, IntPtr param, ThreadCreationFlags creat_flags, out uint tid);
internal static extern NTSTATUS NtCreateThreadEx(out IntPtr hProcess, AccessMask desiredAccess, IntPtr objectAttributes, UIntPtr processHandle, IntPtr startAddress, IntPtr parameter, ThreadCreationFlags inCreateSuspended, Int32 stackZeroBits, Int32 sizeOfStack, Int32 maximumStackSize, IntPtr attributeList);