NtCreateThreadEx DLL-Injection on Win7 64bit does not work

Question

0.00/5 (No votes)

See more:

Hi,

i'm currently playing with DLL-injection techniques and encountered some strange behaviour. When i try to inject a 64bit DLL into an arbitrary 64bit process (like calc.exe) via NtCreateThreadEx() by a 64bit injector EXE, nothing happens. The return value of NtCreateThreadEx() is 0xc0000005 (Access Violation). GetLastError() returns 0x6, INVALID_HANDLE.

If i compile my code (DLL and the injector EXE) to 32bit, everything works fine! What is the reason for this and how i get the 64bit injection via NtCreateThreadEx() done?

If i use CreateRemoteThread() instead of NtCreateThreadEx(), the 64bit injection works fine - but this is no solution because of the session-boundaries. I would appreciate it if someone could give me a hint on this topic.

With kind regards

Posted 1-Aug-12 15:21pm

pszPeter

Add a Solution

2 solutions

Solution 1

You can't load 32 bit DLLs to 64bit processes and vice versa. If you injection works fine with the 32 bit DLL, then your target process is 32 bit for sure. I have 32bit windows on my mahcine at home so can't check this right now but I'm pretty sure that your 64 bit windows still contains a lot of 32 bit legacy stuff. Maybe your calc exe is still a 32 bit stuff.

Posted 2-Aug-12 4:59am

pasztorpisti

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Volynsky Alex · Accepted Answer · 2012-08-02T06:01:00

Please read following blog:
http://noobys-journey.blogspot.co.il/search/label/NtCreateThreadEx[^]

Also read the following article:
http://msdn.microsoft.com/en-us/windows/hardware/gg463353.aspx[^]
http://reboot.pro/16405/page__st__25[^]
http://windows7forums.com/blue-screen-death-bsod/55595-repeating-bsod-programs-crashing-closing.html[^]

P.S.
http://www.securityxploded.com/ntcreatethreadex.php[^]