.:: Bots United ::. - View Single Post - CreateRemoteThread

Lazy · **Re: CreateRemoteThread - Strange behaviour -** 20-09-2004

It had the same result both times even when DllMain did nothing and just returned TRUE.
This also only happens when the process is created with the CREATE_SUSPENDED flag. But since that is the only time where IAT patching is useful, injection afterwards is basically useless.

I have had success with proxy dlls but they take a loong time to make and does not work with kernel32.dll functions. There was also another method where you overwrote the entrypoint with your code, let it execute and restored the original. The problem with that was I tried writing 0xCD03 ( equal to __asm int 3 ) and the application would refuse to start.

	(#4)
Lazy Member Status: Offline Posts: 236 Join Date: Jan 2004 Location: Toronto, Ontario, Canada	Re: CreateRemoteThread - Strange behaviour - 20-09-2004 It had the same result both times even when DllMain did nothing and just returned TRUE. This also only happens when the process is created with the CREATE_SUSPENDED flag. But since that is the only time where IAT patching is useful, injection afterwards is basically useless. I have had success with proxy dlls but they take a loong time to make and does not work with kernel32.dll functions. There was also another method where you overwrote the entrypoint with your code, let it execute and restored the original. The problem with that was I tried writing 0xCD03 ( equal to __asm int 3 ) and the application would refuse to start.