Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page

Was this helpful?

  1. Remote Process Injection

CreateRemoteThread()

Using CreateRemoteThread() to perform Remote Process Injection.

PreviousWindows Advanced Threat Protection (ATP)NextQueueUserAPC()

Last updated 4 years ago

Was this helpful?

HANDLE CreateRemoteThread(
  HANDLE                 hProcess,
  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  SIZE_T                 dwStackSize,
  LPTHREAD_START_ROUTINE lpStartAddress,
  LPVOID                 lpParameter,
  DWORD                  dwCreationFlags,
  LPDWORD                lpThreadId
);

  • Get a handle to an existing process on the system or create a new sacrificial process

    • OpenProcess()

    • CreateProcess()

    • CreateProcessAsUser()

  • Allocate some memory in the chosen remote process

    • VirtualAllocEx()

  • Write shell-code to the remote process

    • WriteProcessMemory()

  • Start a new thread inside the remote process, pointing the entry address to our shell-code

    • CreateRemoteThread()

    • NtCreateThreadEx()

    • RtlCreateUserThread()

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread