Skip to content

Unhook kernel32!BaseThreadInitThunk #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Unhook kernel32!BaseThreadInitThunk #17

wants to merge 3 commits into from

Conversation

@0vercl0k
Copy link

@0vercl0k 0vercl0k commented Mar 12, 2019
edited
Loading

Firefox on Windows hooks kernel32!BaseThreadInitThunk which prevents the remote thread to start in the target, see https://dxr.mozilla.org/mozilla-central/source/mozglue/build/WindowsDllBlocklist.cpp#821:

0:032> u kernel32!BaseThreadInitThunk
KERNEL32!BaseThreadInitThunk:
00007ff8`550d81e0 49bb0064453af87f0000 mov r11,offset mozglue!patched_BaseThreadInitThunk (00007ff8`3a456400)
00007ff8`550d81ea 41ffe3          jmp     r11
00007ff8`550d81ed c2ff15          ret     15FFh

This PR restores the function prologue if it is detected as indeed hooked - happy to fix / adapt anything you'd like.

Also took the extra liberty of fixing the indentation in Rva2Offset :).

Cheers

FreddieOliveira
FreddieOliveira reviewed Oct 14, 2020
View reviewed changes
Copy link

@FreddieOliveira FreddieOliveira left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can you guarantee that the addresses returned by GetProcAddress and GetModuleHandle are the same for both the current process and the target process?

You saved the address of BaseThreadInitThunk for the current process in line 219 and wrote to this same address into the target process in line 235, but you can't assume for sure that the BaseThreadInitThunk function is located at the same address in both processes.

You're very likely overwriting unknown memory region in the target process thinking it holds the BaseThreadInitThunk when in reality that memory address may even crash the target process if manipulated.

@0vercl0k
Copy link
Author

0vercl0k commented Oct 14, 2020 via email

@FreddieOliveira
Copy link

FreddieOliveira commented Oct 14, 2020
edited
Loading

You're almost right, but there's a catch: when same DLLs are imported by different process they usually share the same physical memory address for those DLLs. But, the processes have different virtual addresses for them.

For example, let's suppose that our rootkit.exe and firefox.exe uses the kernel32.dll. To use memory efficiently, Windows will load kernel32.dll into physical address 0x003000 and share this addr with all processes that uses this DLL instead of loading it to RAM each time. When starting rootkit.exe process, it will map kernel32.dll into the virtual address 0x001000 that in reality maps to physical address 0x003000. When starting Firefox.exe process, the kernel32.dll will be mapped at 0x008000 virtual address that also maps to physical address 0x003000. (All these addresses are fictitious) But it's important to note that despite sharing the same physical address for the DLLs, the process have different virtual addresses. When using GetProcAddress or GetModuleHandle or any other function that deals with the process memory, they are usually returning virtual addresses which is unique for each process. So, you can't assume that a returned address from these functions is the same for other processes.

A good answer on how to get DLL functions address in a remote process is given here: https://stackoverflow.com/questions/26395243/getmodulehandle-for-a-dll-in-another-process

Cheers

@0vercl0k
Copy link
Author

0vercl0k commented Oct 14, 2020 via email

@FreddieOliveira
Copy link

Hmm, that's an interesting behavior, looks like the DLLs are not ASLR and GetProcAddress returns the real physical address, which means the addresses returned for the DLL exported function is the same for every process.

I'm just not sure if this will be always the case. I'm also lacking documentation from my part.

@FreddieOliveira
Copy link

Though not finding official documentation, after some research I found out:

  1. Windows will try to use the same virtual addresses for processes to map common DLLs, as long as possible. That means if both processes rootkit.exe and Firefox.exe uses kernel32.dll, they both would try to map the kernel32.dll in the so called preferred address. If the preferred address is not available, then the DLL will be relocated to another virtual address.
  2. Some DLLs are ASLR compatible. What is randomized is the preferred address and the randomization happens once per boot. So, rootkit.exe and firefox.exe would map kernel32.dll in their virtual address 0x50000, for example. After rebooting, that address would change to 0x20000.
  3. GetProcAddress indeed returns the real physical address which is the same for every process. And even if the returned value was a virtual address, this value would also be the same for every process that mapped the DLL in the preferred address. So, it's highly probably that using the returned value across different processes will work, though it's not 100% guaranteed.

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@FreddieOliveira FreddieOliveira FreddieOliveira left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0vercl0k @FreddieOliveira