[C++] [Windows] RtlRemoteCall 'Rewrite'

[Cypher]

As I promised in this thread, I'm releasing my RtlRemoteCall 'rewrite'.

This is similar to what is posted above, but with key differences:

• No use of ASM
• Full native x64 support
• Uses a new thread rather than an existing one
• More reliable

Full info and code is available on my blog.
Ramblings++ » Blog Archive » RtlRemoteCall ‘Rewrite’ - Just another periodically updated, syndicated website

Linking rather than copypastaing because it means if I want to change the post I only have to change it in one location.

P.S. In b4 Kurios removes my thread because I'm just linking to my blog, despite the fact it's a contribution to the community and I'm just using my blog as a central message post rather than having to duplicate it to the multiple places I wish to share it.

P.S.S. Yes, the above really has happened before. >_>

[vulcanaoc]

Really nice.. I'll look at this technique more in-depth when I get some time.

TBH, I hadn't even heard of RtlRemoteCall before you mentioned it.

[vulcanaoc]

Really nice.. I'll look at this technique more in-depth when I get some time.

TBH, I hadn't even heard of RtlRemoteCall before you mentioned it.

[amadmonk]

So, first, nice code.

Second, why would you use this rather than CreateRemoteThread, seeing as how the both, well, create a remote thread (I understand that what happens behind the scenes is very different, but the effect is the same... I create a thread in a target process and run some arbitrary code). Is it just the variable number of params that's an upgrade?

Not meaning to rain on the parade and all. It's still nice code, as usual. I gotta pull my head outta bot land and start doing system code again. It's fun...

Edit: MMO is super slow lately, which may be causing some double-posts...

[Cypher]

So, first, nice code.

Second, why would you use this rather than CreateRemoteThread, seeing as how the both, well, create a remote thread (I understand that what happens behind the scenes is very different, but the effect is the same... I create a thread in a target process and run some arbitrary code). Is it just the variable number of params that's an upgrade?

Not meaning to rain on the parade and all. It's still nice code, as usual. I gotta pull my head outta bot land and start doing system code again. It's fun...

Edit: MMO is super slow lately, which may be causing some double-posts...

Primarily because CreateRemoteThread only lets you pass one param.

Like I said, this is written for my DLL loader, I need to be able to call DllMain, and CreateRemoteThread can't do that.

Also, it means I can support different calling conventions (which CreateRemoteThread can't do).

Lastly, I can easily push the previous context onto the stack, so if you control the function being called, you can then do a NtContinue with the previous context and use it to hijack existing threads. This is something I'll be adding when I get around to it.

[flo8464]

Like it, thanks for your afford & sharing it.

[ramey]

Firsty, great contribute Cypher. I've been following your blog and it's great.

Secondly, if they want to delete your thread; let them. If they don't want people contributing good code (which is a change) then let them. You aren't losing anything if they do, and personally, anyone who is interested in it from here probably already checks your blog because of your signature, and anyone who is decent will probably be looking at your blog.

So really, if they delete it (which is jokes), let them.

[Cypher]

Firsty, great contribute Cypher. I've been following your blog and it's great.

Secondly, if they want to delete your thread; let them. If they don't want people contributing good code (which is a change) then let them. You aren't losing anything if they do, and personally, anyone who is interested in it from here probably already checks your blog because of your signature, and anyone who is decent will probably be looking at your blog.

So really, if they delete it (which is jokes), let them.

Last time I did.

He told me to either duplicate the content (which is annoying for me), or he'll delete the thread. So I told him he can just delete it.

Thanks btw.