Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Too early injection issue #122

Open
wineggdrop opened this issue Feb 23, 2025 · 0 comments
Open

Too early injection issue #122

wineggdrop opened this issue Feb 23, 2025 · 0 comments

Comments

@wineggdrop
Copy link

wineggdrop commented Feb 23, 2025
edited
Loading

prior to windows server 2019,after R77 installed,the console application with no user32.dll import such as net.exe and others still occasionally fail to run with access denied or other error.I guess the reason is the injected code start running before the console application even initialized.it does not happen all the time but it does happen. The GUI application does not have this issue.I would screenshot it when encounter next time.
If that is the reason,not sure how to check the remote process is fully initialized

Windows Server 2019/windows 10/11/Windows Server 2022
CreateProcess -> CreateProcessInternalW(KERNELBASE.dll) -> LdrInitializeThunk -> NtContinue -> LdrInitializeThunk -> NtContinue -> NtCreateUserProcess -> NtResumeThread

Windows Server 2008/2012/2016/2025
CreateProcess -> CreateProcessInternalW(KERNELBASE.dll) -> NtCreateUserProcess -> NtResumeThread
LdrInitializeThunk & NtContinue call just missing here
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wineggdrop