replaced CreateRemoteThread

2 files changed, 18 insertions, 2 deletions

diff --git a/sysmap/src/main.cpp b/sysmap/src/main.cpp
index 871be35..4c73340 100644
--- a/sysmap/src/main.cpp
+++ b/sysmap/src/main.cpp
@@ -43,6 +43,8 @@ int main(int argc, char* argv[]) {
 
 	g_syscalls.init();
 
+	io::log<info>("waiting for {}", args[0]);
+
 	process::process_x64_t proc;
 	if (NT_SUCCESS(proc.attach(args[0]))) {
 		io::log<info>("attached!");
diff --git a/sysmap/src/mapper/process.h b/sysmap/src/mapper/process.h
index 77f7185..9d6da35 100644
--- a/sysmap/src/mapper/process.h
+++ b/sysmap/src/mapper/process.h
@@ -154,7 +154,19 @@ namespace process {
 			return ret;
 		}
 
-		NTSTATUS close(HANDLE handle) {
+		NTSTATUS create_thread(uintptr_t start, HANDLE *out) {
+			static auto nt_create = g_syscalls.get<decltype(&NtCreateThreadEx)>("NtCreateThreadEx");
+
+			return nt_create(out, THREAD_ALL_ACCESS, nullptr, handle, reinterpret_cast<LPTHREAD_START_ROUTINE>(start), 0, 0x4, 0, 0, 0, 0);
+		}
+
+		NTSTATUS wait(HANDLE h) {
+			static auto nt_wait = g_syscalls.get<decltype(&NtWaitForSingleObject)>("NtWaitForSingleObject");
+
+			return nt_wait(h, false, nullptr);
+		}
+
+		static NTSTATUS close(HANDLE handle) {
 			static auto nt_close = g_syscalls.get<decltype(&NtClose)>("NtClose");
 
 			auto ret = nt_close(handle);
@@ -448,7 +460,9 @@ namespace process {
 
 			write(shellcode_base, shellcode.data(), shellcode.size());
 
-			CreateRemoteThread(handle, 0, 0, (LPTHREAD_START_ROUTINE)shellcode_base, 0, 0, 0);
+			HANDLE thread_handle;
+			create_thread(shellcode_base, &thread_handle);
+			wait(thread_handle);
 
 			io::log<log_lvl::info>("mapped target image");