CreateRemoteThread 32->64 and/or 64->32

Question

I need a way to CreateRemoteThread in x64 windows into both 64 and 32 bit processes. I've worked out how to find instruction set of target process, how to allocate memory in the target process for the assembly sled, and I've almost worked out what to do about address space randomization.

I don't know how to actually start the thread on the remote process when it is of the wrong instruction set.

Notice: I don't care which of the two problems you solve. My own exe can be either 32 or 64 bits (but I really do have to choose before I know the number of bits of the target process).

Before somebody complains that I really shouldn't have to do this, ask Microsoft why I have to set FILE_SHARE_DELETE on all open handles before I can delete a file that is in use. No, there's no way around needing to delete files that other process have open either.

Answer 1

As a work-around for your stated problem, you could and probably should use the deferred delete on reboot functionality provided by the operating system if you need to delete files in use by other processes, and the other processes have not opened them for FILE_SHARE_DELETE. It's likely much less potentially dangerous than modifying existing file handles in foreign processes with thread injection, not to mention potentially requiring less privileges. Just a thought.

If you're set on remote thread injection, see the workarounds on the MSDN page; maybe there's some inspiration there. You could also consider just brute-force killing the other processes (nicely first, forcefully as necessary), since you're goona need admin access anyway, and mucking with their internal handles might not leave them in a good state. That's what installers do (or ask the user to do) when they need to replace open files without a reboot.

Answer 2

CreateRemoteThread 32->64 doesn't work.

CreateRemoteThread 64->32 works.