Comments (6)
mrsshr
commented on June 27, 2024
Post your code. I think you passed invalid parameters.
from injdrv.
iradization
commented on June 27, 2024
Ok, So i had some issue of the parameters, but i'm still experiencing an issue with the wow64 wrapper method.
So here's how i define my inputs :
PVOID ApcContext = (PVOID)NULL;
PVOID ApcRoutineAddress = memoryHandle;
PsWrapApcWow64Thread(&ApcContext, &ApcRoutineAddress);
PKNORMAL_ROUTINE ApcRoutine = (PKNORMAL_ROUTINE)(ULONG_PTR)ApcRoutineAddress;
InjpQueueApc(UserMode, ApcRoutine, NormalContext, NULL, NULL);
Notice that in my case, the context and inputs are irrelevant and they are all initialized to NULL.
I just want to see that the normal routine is running by itself (both 2 inputs and context are unused in my implementation).
After i call PsWrapApcWow64Thread, the value of ApcRoutineAddress is set to the inaccessible address of 0xfffffffffffc0000`.
The original method address however, is still in user-space and points to the method imeplemntation
1: kd> u 10000
00000000`00010000 55 push rbp
00000000`00010001 8bec mov ebp,esp
00000000`00010003 83ec1c sub esp,1Ch
Perhaps you can tell me if you see any issues with my flow ?
Thanks !
from injdrv.
wbenny
commented on June 27, 2024
After i call
PsWrapApcWow64Thread, the value ofApcRoutineAddressis set to the inaccessible address of0xfffffffffffc0000
This seems like correct behavior. KiUserApcDispatcher will recognize this value and decode it as "wow64 APC routine".
from injdrv.
iradization
commented on June 27, 2024
However, i cannot reach the break point of the normal routine (I set break point of the address it was allocated in from the context of the injected process).
It seems like the process is stuck. When i tried to analyzed it I saw that one of the threads' call-stack is stuck on wow64ApcRoutine. any ideas how to further debug this issue ?
Child-SP RetAddr : Args to Child : Call Site
ffffd708`1295f680 fffff802`cab3a3c6 : 00000000`00000000 ffffaf04`318f0580 00000000`00000000 00000000`00000000 : nt!KiSwapContext+0x76
ffffd708`1295f7c0 fffff802`cab39bbb : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwapThread+0x2c6
ffffd708`1295f890 fffff802`cab392df : 00000000`00000000 00000000`00000000 00000000`00000000 ffffaf04`318f06c0 : nt!KiCommitThreadWait+0x13b
ffffd708`1295f930 fffff802`caf9fd3c : ffffaf04`2f7de580 fffff802`00000006 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x1ff
ffffd708`1295fa10 fffff802`cac5d743 : ffffaf04`318f0580 00000000`003ef000 00000000`00000000 ffffaf04`2f7de580 : nt!NtWaitForSingleObject+0xfc
ffffd708`1295fa80 00000000`77811e4c : 00000000`77811cad 00000023`7790b48c 00000000`00000000 00000000`ffffffff : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd708`1295fa80)
00000000`0009e828 00000000`77811cad : 00000023`7790b48c 00000000`00000000 00000000`ffffffff 00000000`00000011 : wow64cpu!CpupSyscallStub+0xc
00000000`0009e830 00000000`77811389 : 00000000`0009fd24 00000000`0009fff0 00000000`0009fd24 00000000`0009fd20 : wow64cpu!Thunk0ArgReloadState+0x5
00000000`0009e8e0 00000000`777bcec6 : 00000000`7790cc00 00000000`0019f9d0 00000000`0009f060 00000000`00000000 : wow64cpu!BTCpuSimulate+0x9
00000000`0009e920 00000000`777c3eb5 : 00000000`ffff014c 00000000`0009014c 00000000`0009fd24 00000000`00000001 : wow64!RunCpuSimulation+0xa
00000000`0009e950 00000000`777c3dbf : 00000000`ffffffff 00000000`0019fd00 00000000`003ef000 00000000`00000000 : wow64!Wow64ApcRoutineInternal+0xf5
00000000`0009e9d0 00007ffd`71f4e5e9 : ffffd708`1295f3b8 00000000`00000000 00000000`00000000 ffffffff`fffc0000 : wow64!Wow64ApcRoutine+0x1f
00000000`0009ea10 00000000`77811e4c : 00000000`77811cad 00000023`7790c24c 00007ffd`71ef0023 00000000`0019fc00 : ntdll!KiUserApcDispatch+0x69 (TrapFrame @ 00000000`0009ed78)
00000000`0009ef08 00000000`77811cad : 00000023`7790c24c 00007ffd`71ef0023 00000000`0019fc00 00000000`0019fd14 : wow64cpu!CpupSyscallStub+0xc
00000000`0009ef10 00000000`77811389 : 00000000`0019fd24 00000000`777bcf95 00000000`0009efe0 00000000`777bbecb : wow64cpu!Thunk0ArgReloadState+0x5
00000000`0009efc0 00000000`777bcec6 : 00000000`003ec000 00000000`00400108 00000000`00000000 00000000`0009f820 : wow64cpu!BTCpuSimulate+0x9
00000000`0009f000 00000000`777bcdb0 : 00000000`00000000 00000000`005f2178 00000000`005f2178 00000000`00000000 : wow64!RunCpuSimulation+0xa
00000000`0009f030 00007ffd`71f7f637 : 00007ffd`71fc82f8 00007ffd`71fc82f8 00000000`00000010 00007ffd`71fc8290 : wow64!Wow64LdrpInitialize+0x120
00000000`0009f2e0 00007ffd`71f6fa45 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1887
00000000`0009f700 00007ffd`71f24feb : 00000000`0009f820 00000000`00000000 00000000`00000000 00000000`003ed000 : ntdll!_LdrpInitialize+0x4aa45
00000000`0009f7a0 00007ffd`71f24f9e : 00000000`0009f820 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b
00000000`0009f7d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
from injdrv.
mrsshr
commented on June 27, 2024
PsWrapApcWow64Thread result is normal.
Is 32bit ntdll loaded in target process?
from injdrv.
iradization
commented on June 27, 2024
Yes, i guess that's was the problem. now it's fixed. thanks you.
from injdrv.
Related Issues (20)
- Windows 7 x64 - InjMethodThunk method failing in ntdll!RtlEqualUnicodeString due to AV HOT 3
- Infection successful but dll is not loaded HOT 16
- bypass ProcessDynamicCodePolicy mitigation policy flagged processes. HOT 1
- BSOD on Windows 10 HOT 6
- Cannot inject dll due to signing issue
- Error on build HOT 13
- don`t compiling
- inject any dll HOT 2
- InjMethodThunk issue
- BSOD Windows 10 HOT 1
- not support amd64 exe run on ARM64
- What should it be used for HOT 7
- MSB3191: Unable to create director HOT 1
- 0x139_3_CORRUPT_LIST_ENTRY_injdrv in InjCreateInjectionInfo while call InsertTailList HOT 1
- Inject to Running processes (with no altertable threads) HOT 3
- Issue after hooking MicrosoftEdgeCP.exe HOT 4
- Random crash for wow64 process in win10 X64 1809 HOT 1
- When the driver runs, the wow64 process under the 64-bit system of win8.1 can't get up. Has anyone encountered this problem? HOT 1
- Thread create messages? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from injdrv.