From 1ac47410940a4e3e7eafb924bf3fcb4b9b543fb9 Mon Sep 17 00:00:00 2001 From: cod Date: Mon, 12 Aug 2024 18:07:27 +0200 Subject: [PATCH 1/5] Resolve GetThreadId at runtime --- c/meterpreter/source/metsrv/remote_thread.c | 25 ++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/c/meterpreter/source/metsrv/remote_thread.c b/c/meterpreter/source/metsrv/remote_thread.c index 76ea4423d..38bcca191 100644 --- a/c/meterpreter/source/metsrv/remote_thread.c +++ b/c/meterpreter/source/metsrv/remote_thread.c @@ -14,6 +14,13 @@ static PRtlCreateUserThread pRtlCreateUserThread = NULL; /*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ static BOOL pRtlCreateUserThreadAttempted = FALSE; +/*! @brief Function pointer type for the GetThreadId function in kernel32.dll not available in Windows XP SP3 */ +typedef DWORD (WINAPI * PGetThreadId)(HANDLE); +/*! @brief Reference to the loaded GetThreadId function pointer. */ +static PGetThreadId pGetThreadId = NULL; +/*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ +static BOOL pGetThreadIdAttempted = FALSE; + /*! * @brief Helper function for creating a remote thread in a privileged process. * @param hProcess Handle to the target process. @@ -79,7 +86,23 @@ HANDLE create_remote_thread(HANDLE hProcess, SIZE_T sStackSize, LPVOID pvStartAd if (ntResult == 0 && pdwThreadId) { - *pdwThreadId = GetThreadId(hThread); + if (!pGetThreadIdAttempted) + { + if (pGetThreadId == NULL) + { + pGetThreadId = (PGetThreadId)GetProcAddress(GetModuleHandleA("kernel32"), "GetThreadId"); + if (pGetThreadId) + { + dprintf("[REMOTHREAD] GetThreadId found at %p", pGetThreadId); + } + } + pGetThreadIdAttempted = TRUE; + } + + if (pGetThreadId != NULL) + *pdwThreadId = pGetThreadId(hThread); + else + *pdwThreadId = 0; } } else From 788d419c6ea9a4e47503ec67b1cdf37e42418110 Mon Sep 17 00:00:00 2001 From: cod Date: Tue, 13 Aug 2024 17:58:44 +0200 Subject: [PATCH 2/5] Added advapi32 in LINK_LIBS for modules which uses OpenThreadToken to fix an error in mingw-x86 toolchain --- c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt | 2 +- c/meterpreter/workspace/ext_server_priv/CMakeLists.txt | 2 +- c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt | 1 + c/meterpreter/workspace/metsrv/CMakeLists.txt | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt b/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt index 450af691a..0de663bce 100644 --- a/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_incognito/CMakeLists.txt @@ -29,7 +29,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -set(LINK_LIBS netapi32 mpr) +set(LINK_LIBS advapi32 netapi32 mpr) target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") diff --git a/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt b/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt index da2fa9266..dea7e258b 100644 --- a/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_priv/CMakeLists.txt @@ -71,7 +71,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -set(LINK_LIBS psapi rpcrt4) +set(LINK_LIBS advapi32 psapi rpcrt4) target_link_libraries(${PROJECT_NAME} ${LINK_LIBS} ${MET_RDI_ASM}) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") diff --git a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt index 838f53c8c..09d1bffba 100644 --- a/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_stdapi/CMakeLists.txt @@ -43,6 +43,7 @@ if(MSVC) endif() set(LINK_LIBS + advapi32 jpeg mpr netapi32 diff --git a/c/meterpreter/workspace/metsrv/CMakeLists.txt b/c/meterpreter/workspace/metsrv/CMakeLists.txt index c75dc8b11..cbc09600d 100644 --- a/c/meterpreter/workspace/metsrv/CMakeLists.txt +++ b/c/meterpreter/workspace/metsrv/CMakeLists.txt @@ -30,7 +30,7 @@ if(MSVC) set_source_files_properties(${MOD_DEF_DIR}/metsrv.def PROPERTIES HEADER_FILE_ONLY TRUE) endif() -set(LINK_LIBS winhttp wininet crypt32) +set(LINK_LIBS advapi32 winhttp wininet crypt32) if(MSVC) target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") From aff81538ec8a3a9a0439ead904d3add6cad8f2d4 Mon Sep 17 00:00:00 2001 From: cod Date: Tue, 13 Aug 2024 22:42:21 +0300 Subject: [PATCH 3/5] Update remote_thread.c TTypo --- c/meterpreter/source/metsrv/remote_thread.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/c/meterpreter/source/metsrv/remote_thread.c b/c/meterpreter/source/metsrv/remote_thread.c index 38bcca191..d9c67e6c4 100644 --- a/c/meterpreter/source/metsrv/remote_thread.c +++ b/c/meterpreter/source/metsrv/remote_thread.c @@ -18,7 +18,7 @@ static BOOL pRtlCreateUserThreadAttempted = FALSE; typedef DWORD (WINAPI * PGetThreadId)(HANDLE); /*! @brief Reference to the loaded GetThreadId function pointer. */ static PGetThreadId pGetThreadId = NULL; -/*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ +/*! @brief Indication of whether an attempt to locate the pGetThreadId pointer has been made. */ static BOOL pGetThreadIdAttempted = FALSE; /*! @@ -93,7 +93,7 @@ HANDLE create_remote_thread(HANDLE hProcess, SIZE_T sStackSize, LPVOID pvStartAd pGetThreadId = (PGetThreadId)GetProcAddress(GetModuleHandleA("kernel32"), "GetThreadId"); if (pGetThreadId) { - dprintf("[REMOTHREAD] GetThreadId found at %p", pGetThreadId); + dprintf("[REMOTETHREAD] GetThreadId found at %p", pGetThreadId); } } pGetThreadIdAttempted = TRUE; From a91fb725366fdde11c1826ddaaaae7644316c857 Mon Sep 17 00:00:00 2001 From: cod Date: Tue, 17 Sep 2024 11:47:22 +0200 Subject: [PATCH 4/5] Revert "Update remote_thread.c" This reverts commit aff81538ec8a3a9a0439ead904d3add6cad8f2d4. --- c/meterpreter/source/metsrv/remote_thread.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/c/meterpreter/source/metsrv/remote_thread.c b/c/meterpreter/source/metsrv/remote_thread.c index d9c67e6c4..38bcca191 100644 --- a/c/meterpreter/source/metsrv/remote_thread.c +++ b/c/meterpreter/source/metsrv/remote_thread.c @@ -18,7 +18,7 @@ static BOOL pRtlCreateUserThreadAttempted = FALSE; typedef DWORD (WINAPI * PGetThreadId)(HANDLE); /*! @brief Reference to the loaded GetThreadId function pointer. */ static PGetThreadId pGetThreadId = NULL; -/*! @brief Indication of whether an attempt to locate the pGetThreadId pointer has been made. */ +/*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ static BOOL pGetThreadIdAttempted = FALSE; /*! @@ -93,7 +93,7 @@ HANDLE create_remote_thread(HANDLE hProcess, SIZE_T sStackSize, LPVOID pvStartAd pGetThreadId = (PGetThreadId)GetProcAddress(GetModuleHandleA("kernel32"), "GetThreadId"); if (pGetThreadId) { - dprintf("[REMOTETHREAD] GetThreadId found at %p", pGetThreadId); + dprintf("[REMOTHREAD] GetThreadId found at %p", pGetThreadId); } } pGetThreadIdAttempted = TRUE; From 68bbcf2a2b3a1e47b2c915bdd627a43e8eaa80e4 Mon Sep 17 00:00:00 2001 From: cod Date: Tue, 17 Sep 2024 11:47:39 +0200 Subject: [PATCH 5/5] Revert "Resolve GetThreadId at runtime" This reverts commit 1ac47410940a4e3e7eafb924bf3fcb4b9b543fb9. --- c/meterpreter/source/metsrv/remote_thread.c | 25 +-------------------- 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/c/meterpreter/source/metsrv/remote_thread.c b/c/meterpreter/source/metsrv/remote_thread.c index 38bcca191..76ea4423d 100644 --- a/c/meterpreter/source/metsrv/remote_thread.c +++ b/c/meterpreter/source/metsrv/remote_thread.c @@ -14,13 +14,6 @@ static PRtlCreateUserThread pRtlCreateUserThread = NULL; /*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ static BOOL pRtlCreateUserThreadAttempted = FALSE; -/*! @brief Function pointer type for the GetThreadId function in kernel32.dll not available in Windows XP SP3 */ -typedef DWORD (WINAPI * PGetThreadId)(HANDLE); -/*! @brief Reference to the loaded GetThreadId function pointer. */ -static PGetThreadId pGetThreadId = NULL; -/*! @brief Indication of whether an attempt to locate the pRtlCreateUserThread pointer has been made. */ -static BOOL pGetThreadIdAttempted = FALSE; - /*! * @brief Helper function for creating a remote thread in a privileged process. * @param hProcess Handle to the target process. @@ -86,23 +79,7 @@ HANDLE create_remote_thread(HANDLE hProcess, SIZE_T sStackSize, LPVOID pvStartAd if (ntResult == 0 && pdwThreadId) { - if (!pGetThreadIdAttempted) - { - if (pGetThreadId == NULL) - { - pGetThreadId = (PGetThreadId)GetProcAddress(GetModuleHandleA("kernel32"), "GetThreadId"); - if (pGetThreadId) - { - dprintf("[REMOTHREAD] GetThreadId found at %p", pGetThreadId); - } - } - pGetThreadIdAttempted = TRUE; - } - - if (pGetThreadId != NULL) - *pdwThreadId = pGetThreadId(hThread); - else - *pdwThreadId = 0; + *pdwThreadId = GetThreadId(hThread); } } else