Blackbone icon indicating copy to clipboard operation
Blackbone copied to clipboard

Published 20 hours ago verified publisher icon DarthTon

MMap with "NoThreads" Flag Crashes with 0xc00000225

Open mrtiggles5 opened this issue 6 years ago • 8 comments

Hello Darthton, I'm having issues with using your MMap with thread hijacking. Every time the injection runs in my application it will crash the target program and then return 0xc00000225.

I've tried the thread hijacking Mmap with many different dlls and many different nonWOW64 processes but I always keep crashing. Perhaps there is a bug in the code, I'm not sure.

mrtiggles5 avatar Oct 23 '17 21:10 mrtiggles5

++ Problem with last windows version and all kernel injection methods on driver load. From log: Started on Windows 10.0.0.16299 x64. Driver status: 0xC0000225

roman125 avatar Oct 23 '17 23:10 roman125

firstly google that For Kernel MMap this status 0xC0000225 STATUS_NOT_FOUND means that it can not find the driver file

For inject without driver, compile blackbone in debug mode and get trace log from it

boris768 avatar Oct 24 '17 09:10 boris768

10.0.0.16299 isn't supported in driver yet

DarthTon avatar Oct 24 '17 09:10 DarthTon

I'm not using the driver, I'm not sure why boris and Roma seem to think that I am using the driver for manual map when the driver does not even support the "NoThreads" flag. I figured out that the 0xC0000225 error was due not being able to resolve the dependencies but I have since fixed this issue. Now I am getting the 0x8000000d error with every process I seem to inject into with the NoThreads option since every process I inject into seems to crash. Here are the logs:

BlackBone: Allocate: Allocating at address 0x00000276C3810000 (0x1000 bytes) BlackBone: Allocate: Allocating at address 0x00000276C3820000 (0x4000 bytes) BlackBone: Allocate: Allocating at address 0x00000276C3830000 (0x1000 bytes) BlackBone: ManualMap: Hijacking Thread! BlackBone: ManualMap: Created APC Thread! BlackBone: ManualMap: Mapping image 'TEST.dll' with flags 0x81 BlackBone: ManualMap: Loading new image 'TEST.dll' BlackBone: Allocate: Allocating at address 0x00007FFA03680000 (0x7000 bytes) BlackBone: ManualMap: Image base allocated at 0x00007ffa03680000 BlackBone: Allocate: Allocating at address 0x00000276C3C70000 (0x200 bytes) BlackBone: Free: Free at address 0x00007FFA03680000 BlackBone: Free: Free at address 0x00000276C3C70000 BlackBone: Free: Free at address 0x00000276C3830000 BlackBone: Free: Free at address 0x00000276C3820000 BlackBone: Free: Free at address 0x00000276C3810000 Couldn't map with error: 0x8000000d

mrtiggles5 avatar Oct 25 '17 00:10 mrtiggles5

It seems that this line

thd->Resume();
if (NT_SUCCESS( status ))
{
        WaitForSingleObject( _hWaitEvent, 20 * 1000/*INFINITE*/ );
        status = _userData.Read( RET_OFFSET, callResult ); <------------------- this line
}

Is causing the crash in the process. This code has consistently triggered every x64 process that I have injected into (Chrome, Firefox, etc) to crash. any ideas on why this might be crashing?

mrtiggles5 avatar Oct 25 '17 00:10 mrtiggles5

I've just tested "NoThreads" flag with my x64 dll and everything worked flawlessly. Perhaps your dll is causing this? Does it work without the flag or using native injection?

The line you pinpointed is a generic remote call. It could be any actual routine.

DarthTon avatar Oct 25 '17 14:10 DarthTon

The injection seems to work fine without the "NoThreads" flag

mrtiggles5 avatar Oct 25 '17 17:10 mrtiggles5

I actually got the mmap working by using NoSxS and using NoExceptions. I'm not sure if you are including those flags or if you got it working with just NoThreads, is there any way you could write a test with your options for thread hijacking? It would be much obliged!

mrtiggles5 avatar Oct 28 '17 19:10 mrtiggles5