VirtualAllocEx

Hi,
I'm trying to figure out how to allocate memory to a process, write bytes to it and then create a remote thread upon it, but the process keeps freezing, and I have a feeling that I'm doing something incorrectly.
Here's the code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <Windows.h>
#include <iostream>

int main() {
	HWND Minesweeper = FindWindow(0, "Minesweeper");
	if (!Minesweeper) {
		MessageBox(NULL, "Unable to find Minesweeper", "Minesweeper", 0);
		return 1;
	}
	DWORD pid;
	GetWindowThreadProcessId(Minesweeper, &pid);
	HANDLE Process = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	BYTE Address[] = {0x00530008};
	BYTE Bytes[] = {0x6A, 0x0A, 0xE8, 0x79, 0x2F, 0xBD, 0x00, 0xC3};
	/*
	push 0A
	call func
	ret
	*/
	LPVOID address = VirtualAllocEx(Process, (LPVOID)Address, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	std::cout << address << std::endl;
	WriteProcessMemory(Process, (LPVOID)address, (LPVOID)Bytes, 8, NULL);
	CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)address, NULL, 0, NULL);
	MessageBox(NULL, "Executed", "Minesweeper", 0);
}


I greatly appreciate any help given.
what is line 13 supposed to do?
Hi,

Look at my recent thread it is related to injection: http://cplusplus.com/forum/windows/101880/

A sample code I made for Injecting into other processes *NOTE*: I am using CreateRemoteThread() so you cannot inject in to crss.exe or other System process of course you can use NtCreateThreadEx to do that instead but not advised.
Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include<Windows.h>
#include<iostream>
#include<TlHelp32.h>
#include<stdlib.h>
using namespace std;
typedef int (WINAPI* msgparam)(HWND,LPSTR,LPSTR,UINT);
DWORD getPid(string procname);
int privileges();
struct PARAMETERS
{
	DWORD MessageBoxinj;
	char szText[50];
	char szCaption[50];
    int  szButtons;
};
static DWORD MyFunc(PARAMETERS* Message);
static DWORD Stub();



int main()
{
	if(privileges() ==0)
	{

	DWORD pid = getPid("Skynet - Attacker.exe");
	if(pid == 0) return 1;

	HANDLE p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);

	if(p == 0) return 1;

	PARAMETERS szInjectionData;
	szInjectionData.MessageBoxinj = (DWORD)GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");
	szInjectionData.szButtons = MB_ICONERROR|MB_OK;
	strcpy_s(szInjectionData.szCaption,"Hello World");
	strcpy_s(szInjectionData.szText,"Called from Code Injection");

	DWORD szFunctionSize = (DWORD) Stub - (DWORD)MyFunc;
	LPVOID szFunctionAddress = VirtualAllocEx(p,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(p,szFunctionAddress,(VOID*)MyFunc,szFunctionSize,0);
	LPVOID szDataAdress = VirtualAllocEx(p,0,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(p,szDataAdress,&szInjectionData,sizeof(PARAMETERS),0);

	HANDLE Thread = CreateRemoteThread(p,0,0,(LPTHREAD_START_ROUTINE)szFunctionAddress,szDataAdress,0,0);
	if(Thread !=0)
	{
	WaitForSingleObject(Thread, INFINITE);
	VirtualFree(szFunctionAddress, 0, MEM_RELEASE); //free myFunc memory
		VirtualFree(szDataAdress, 0, MEM_RELEASE); //free data memory
		CloseHandle(Thread);
		CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process
		cout<<"Injection completed!"<<endl;
	return 0;
	}
	}
	else
	{
		exit(1);
	}
}
DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}
static DWORD MyFunc(PARAMETERS * myparam){
	msgparam MsgBox = (msgparam)myparam->MessageBoxinj;
	 MsgBox(0, myparam->szText, myparam->szCaption, myparam->szButtons);
           for(;;)
		   {

			}
             return 0;
}
 
static DWORD Stub(){  
  return 0;
}

int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}


PST!! You forgot something in Allocation.
Last edited on
Topic archived. No new replies allowed.