CreateRemoteThread()

Using CreateRemoteThread() to perform Remote Process Injection.

​https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread​
HANDLE CreateRemoteThread(
  HANDLE                 hProcess,
  LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  SIZE_T                 dwStackSize,
  LPTHREAD_START_ROUTINE lpStartAddress,
  LPVOID                 lpParameter,
  DWORD                  dwCreationFlags,
  LPDWORD                lpThreadId
);
Get a handle to an existing process on the system or create a new sacrificial process
OpenProcess()
CreateProcess()
CreateProcessAsUser()
Allocate some memory in the chosen remote process
VirtualAllocEx()
Write shell-code to the remote process
WriteProcessMemory()
Start a new thread inside the remote process, pointing the entry address to our shell-code
CreateRemoteThread()
NtCreateThreadEx()
RtlCreateUserThread()
​
​

AV / EDR - Previous

Windows Advanced Threat Protection (ATP)

Next - Remote Process Injection

QueueUserAPC()

Last modified 2yr ago