Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with 32 bit program: Remote thread error: The specified module could not be found #34

Open
gaojx opened this issue Nov 3, 2021 · 2 comments
Open

Issue with 32 bit program: Remote thread error: The specified module could not be found #34

gaojx opened this issue Nov 3, 2021 · 2 comments

Comments

@gaojx
Copy link

gaojx commented Nov 3, 2021
edited
Loading

Use this with a 32 bit program (sybase isql.exe) on Win 10 (Win64), got the error:
Remote thread error: The specified module could not be found.

As a result, the injection failed. Here is the logs:

[D] 2021/11/03 16:19:51 Argv[3] = \sybase\OCS-16_0\bin\isql.exe
[D] 2021/11/03 16:19:51 Argv[4] = -S
[D] 2021/11/03 16:19:51 Argv[5] = syb16qa
[D] 2021/11/03 16:19:51 Argv[6] = -U
[D] 2021/11/03 16:19:51 Argv[7] = esp_nfy_auth
[D] 2021/11/03 16:19:51 Argv[8] = -P
[I] 2021/11/03 16:19:51 Configuration file: \tools\proxychains.conf
[D] 2021/11/03 16:19:51 fpGetModuleHandleWX64 = 00007FFDE7A2D130
[D] 2021/11/03 16:19:51 fpGetModuleHandleWX86 = 00000000764E0E50
[D] 2021/11/03 16:19:51 fpLoadLibraryWX64 = 00007FFDE7A2FEE0
[D] 2021/11/03 16:19:51 fpLoadLibraryWX86 = 00000000764E16C0
[D] 2021/11/03 16:19:51 fpGetProcAddressX64 = 00007FFDE7A2AEC0
[D] 2021/11/03 16:19:51 fpGetProcAddressX86 = 00000000764DF550
[D] 2021/11/03 16:19:51 fpFreeLibraryX64 = 00007FFDE7A2C7D0
[D] 2021/11/03 16:19:51 fpFreeLibraryX86 = 00000000764E0AE0
[D] 2021/11/03 16:19:51 fpGetLastErrorX64 = 00007FFDE7A25BF0
[D] 2021/11/03 16:19:51 fpGetLastErrorX86 = 00000000764DE010
[D] 2021/11/03 16:19:51 fpOutputDebugStringAX64 = 00007FFDE7A342D0
[D] 2021/11/03 16:19:51 fpOutputDebugStringAX86 = 00000000764D9350
[D] 2021/11/03 16:19:51 fpGetCurrentProcessIdX64 = 00007FFDE7A34890
[D] 2021/11/03 16:19:51 fpGetCurrentProcessIdX86 = 00000000764E2E90
[D] 2021/11/03 16:19:51 fpwsprintfAX64 = 00007FFDE75D7890
[D] 2021/11/03 16:19:51 fpwsprintfAX86 = 000000007694ACA0
[D] 2021/11/03 16:19:51 fpSleepX64 = 00007FFDE7A2ADA0
[D] 2021/11/03 16:19:51 fpSleepX86 = 00000000764E0F00
[D] 2021/11/03 16:19:51 fpExitThreadX64 = 00007FFDE94645F0
[D] 2021/11/03 16:19:51 fpExitThreadX86 = 00000000771FB4B0
[D] 2021/11/03 16:19:51 fpReleaseSemaphoreX64 = 00007FFDE7A34A60
[D] 2021/11/03 16:19:51 fpReleaseSemaphoreX86 = 00000000764E3060
[D] 2021/11/03 16:19:51 fpCloseHandleX64 = 00007FFDE7A348E0
[D] 2021/11/03 16:19:51 fpCloseHandleX86 = 00000000764E2EE0
[D] 2021/11/03 16:19:51 fpWaitForSingleObjectX64 = 00007FFDE7A34AD0
[D] 2021/11/03 16:19:51 fpWaitForSingleObjectX86 = 00000000764E30D0
[D] 2021/11/03 16:19:51 Configuration fixed part size: 9024
[D] 2021/11/03 16:19:51 Configuration total size: 14760
[D] 2021/11/03 16:19:51 MasterProcessId: 21432
[D] 2021/11/03 16:19:51 LogLevel: 600
[D] 2021/11/03 16:19:51 IpcPipeName: \.\pipe\proxychains_21432_132804443914015147
[D] 2021/11/03 16:19:51 ConfigPath: \tools\proxychains.conf
[D] 2021/11/03 16:19:51 HookDllPath: C:\git\proxychains-windows\win32_output\proxychains_hook_x64d.dll
[D] 2021/11/03 16:19:51 MinHookDllPath: MinHook.x64.dll
[D] 2021/11/03 16:19:51 HostsFilePath: C:\WINDOWS\system32\drivers\etc\hosts
[D] 2021/11/03 16:19:51 CommandLine: C:\sybase\OCS-16_0\bin\isql.exe -S syb16qa -U esp_nfy_auth -P
[D] 2021/11/03 16:19:51 FakeIpv4Range: 224.0.0.0/8
[D] 2021/11/03 16:19:51 FakeIpv6Range: 250d::/16
[D] 2021/11/03 16:19:51 ProxyConnectionTimeoutMillisecond: 3000
[D] 2021/11/03 16:19:51 ProxyHandshakeTimeoutMillisecond: 5000
[D] 2021/11/03 16:19:51 WillUseFakeIpAsRemoteDns: 1
[D] 2021/11/03 16:19:51 WillUseUdpAssociateAsRemoteDns: 0
[D] 2021/11/03 16:19:51 WillDeleteFakeIpAfterChildProcessExits: 1
[D] 2021/11/03 16:19:51 WillUseFakeIpWhenHostnameNotMatched: 1
[D] 2021/11/03 16:19:51 WillMapResolvedIpToHost: 0
[D] 2021/11/03 16:19:51 WillLookupForHostByResolvedIp: 0
[D] 2021/11/03 16:19:51 WillResolveLocallyIfMatchHosts: 1
[D] 2021/11/03 16:19:51 WillFirstTunnelUseIpv4: 1
[D] 2021/11/03 16:19:51 WillFirstTunnelUseIpv6: 0
[D] 2021/11/03 16:19:51 WillGenFakeIpUsingHashedHostname: 1
[D] 2021/11/03 16:19:51 DefaultTarget: PROXY
[D] 2021/11/03 16:19:51 sizeof(PROXYCHAINS_CONFIG): 9024
[D] 2021/11/03 16:19:51
[D] 2021/11/03 16:19:51 [ProxyList] Offset: 9024, sizeof(): 1164, Length: 1
[D] 2021/11/03 16:19:51 [0] localhost:9050(516) Ws2_32_Socks5Connect Ws2_32_Socks5Handshake
[D] 2021/11/03 16:19:51
[D] 2021/11/03 16:19:51 [RuleList] Offset: 10188, sizeof(): 528, Length: 5
[D] 2021/11/03 16:19:51 [0] <IP_CIDR> 127.0.0.0/8 -> DIRECT
[D] 2021/11/03 16:19:51 [1] <IP_CIDR> 10.0.0.0/8 -> DIRECT
[D] 2021/11/03 16:19:51 [2] <IP_CIDR> 172.16.0.0/12 -> DIRECT
[D] 2021/11/03 16:19:51 [3] <IP_CIDR> 192.168.0.0/16 -> DIRECT
[D] 2021/11/03 16:19:51 [4] <IP_CIDR> fe80::/8 -> DIRECT
[D] 2021/11/03 16:19:51
[D] 2021/11/03 16:19:51 [HostsEntry] Offset: 12828, sizeof(): 644, Length: 3
[D] 2021/11/03 16:19:51 [0] host.docker.internal 192.168.68.104
[D] 2021/11/03 16:19:51 [1] gateway.docker.internal 192.168.68.104
[D] 2021/11/03 16:19:51 [2] kubernetes.docker.internal 127.0.0.1
[D] 2021/11/03 16:19:51
[D] 2021/11/03 16:19:51 (Deprecated)RemoteFuncX64 Offset: 14760, Size: 0
[D] 2021/11/03 16:19:51 (Deprecated)RemoteFuncX86 Offset: 14760, Size: 0
[D] 2021/11/03 16:19:51 PXCH_CONFIG_EXTRA_SIZE_G: 5736
[V] 2021/11/03 16:19:51 Hooked CreateProcessW from 00007FFDE7A2CB60 to 00007FFDB8572D20, return = 0
[D] 2021/11/03 16:19:51 Main Program Hooked!
[D] 2021/11/03 16:19:51 IPC Server Tid: 20692
[V] 2021/11/03 16:19:51 Waiting for g_hIpcServerSemaphore.
[V] 2021/11/03 16:19:51 Ipc Server Initializing...
[V] 2021/11/03 16:19:51 Ipc Server Initializing Event 0
[V] 2021/11/03 16:19:51 Ipc Server Initializing Event 1
[V] 2021/11/03 16:19:51 Ipc Server Initializing Event 2
[V] 2021/11/03 16:19:51 Ipc Server Initializing Event 3
[D] 2021/11/03 16:19:51 [IPCALL] Waiting for clients...
[V] 2021/11/03 16:19:51 ServerLoop: Signaling semaphore...
[V] 2021/11/03 16:19:51 ServerLoop: Signaled semaphore.
[D] 2021/11/03 16:19:51 szCommandLine: C:\sybase\OCS-16_0\bin\isql.exe -S syb16qa -U esp_nfy_auth -P
[D] 2021/11/03 16:19:51 (In CreateProcessW) g_pRemoteData->dwDebugDepth = 4294967295
[D] 2021/11/03 16:19:51 CreateProcessW: (null), C:\sybase\OCS-16_0\bin\isql.exe -S syb16qa -U esp_nfy_auth -P, lpProcessAttributes: 0, lpThreadAttributes: 0, bInheritHandles: 0, dwCreationFlags: 0, lpCurrentDirectory: (null); Ret: 1 Child winpid 2852, tid 11632
[V] 2021/11/03 16:19:51 CreateProcessW: Copied.
[V] 2021/11/03 16:19:51 CreateProcessW: After jmp to err_orig.
[V] 2021/11/03 16:19:51 CreateProcessW: Before InjectTargetProcess.
[D] 2021/11/03 16:19:51 Child is an X86(Win32) process (0 1).
[V] 2021/11/03 16:19:51 CreateProcessW: Entering InjectTargetProcess. 15460
[V] 2021/11/03 16:19:51 CreateProcessW: Before CopyMemory. 0
[V] 2021/11/03 16:19:51 CreateProcessW: After CopyMemory. 0
[V] 2021/11/03 16:19:51 CreateProcessW: After remoteData assignment. 0
[D] 2021/11/03 16:19:51 C:\git\proxychains-windows\win32_output\proxychains_hook_x64d.dll
[V] 2021/11/03 16:19:51 CreateProcessW: After StringCchCopy. 0
[V] 2021/11/03 16:19:51 CreateProcessW: Before VirtualAllocEx. 832
[V] 2021/11/03 16:19:51 CreateProcessW: After VirtualAllocEx. 00000000009F0000
[V] 2021/11/03 16:19:51 RemoteFuncCode bin data: 55 8b ec 83 ec 10 8b 45 08 89 45 fc 8b 4d fc 8b
[V] 2021/11/03 16:19:51 EntryDetour bin data: 55 81 ec 00 04 00 00 8d ac 24 00 02 00 00 c7 45
[V] 2021/11/03 16:19:51 CreateProcessW: After Write Code. 1328
[D] 2021/11/03 16:19:51 pTargetPeb: 0000000000B82000, TargetCtx.Rax - Rdx: 0000000000000000 0000000000000000 000000000056128E 0000000000B83000, (Invalid)TargetWow64Ctx.Eax - Edx: 0000000000000000 0000000000000000 0000000000000000 0000000000000000.
[D] 2021/11/03 16:19:51 TargetWow64CtxFromTeb.Eax - Edx: 000000000056128E 0000000000B83000 0000000000000000 0000000000000000.
[D] 2021/11/03 16:19:51 pTargetWow64Peb: 0000000000B83000
[D] 2021/11/03 16:19:51 pTargetOriginalEntry: 000000000056128E
[V] 2021/11/03 16:19:51 CreateProcessW: After Write Data. 4
[V] 2021/11/03 16:19:51 Waiting for hSemaphore.
[V] 2021/11/03 16:19:51 CreateProcessW: After RemoteCopyExecute. 0
[W] 2021/11/03 16:19:51 Error: Remote thread error: The specified module could not be found.(126)!
[V] 2021/11/03 16:19:51 CreateProcessW: Injected. 126
[E] 2021/11/03 16:19:51 Injecting WINPID 2852 Error: The specified module could not be found.(126)
[I] 2021/11/03 16:19:52 No child process registered. Injection might not have succeeded.
@gaojx
Copy link
Author

gaojx commented Nov 3, 2021
edited
Loading

Some more info:

  1. Run with 64 bit program (e.g mysql) works great.
  2. Running the 32 bit program directly (without the proxychains) works too. So the path etc is set up properly.
  3. Running a simple 32 bit Hello World! (generated by VSC) can replicate the issue.
  4. Running from Administrator does not help the issue.

@shunf4
Copy link
Owner

shunf4 commented Nov 4, 2021

Please make sure proxychains_hook_x86(d).dll exists in C:\git\proxychains-windows\win32_output\. (Try building with x86 configuration in Visual Studio?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gaojx @shunf4