C++

Forum

 
Can't get CreateRemoteThread() to work

Kalist (14)
I'm having trouble getting the CreateRemoteThread function to work, I've followed tutorials and they've written it similar to this, it worked for them, can anyone spot what I've done wrong?

To summarize, I'm basically finding the process by snapshots of all the running processes (PROCESSENTRY32) and then starting a loop that goes through every process until it finds the calculator program. When/if found it assigns the process ID to a variable I can use with OpenProcess(). From there on it gets more complicated (line 26 and onward), the purpose is to remotely call the DLLMain func with the reason DLL_PROCESS_ATTACH.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
#include <iostream>
#include <windows.h>
#include <TlHelp32.h>

char* dllPath = "C:\\Users\\Kalist\\Desktop\\Projects\\DLL\\bin\\Debug\\DLL.dll";

int main(){
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    DWORD procID;

    if(procSnap){
        if(Process32First(procSnap, &pe32)){
            do{
               if(!strcmp(pe32.szExeFile, "calc.exe")){
                    procID = pe32.th32ProcessID;
                    break;
               }
            }while(Process32Next(procSnap, &pe32));
        }
        CloseHandle(procSnap);
    }
    HANDLE procAccess = OpenProcess(PROCESS_ALL_ACCESS, false, procID);

    LPVOID virtualMemSpace = (LPVOID)VirtualAllocEx(procAccess, NULL, strlen(dllPath)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

    WriteProcessMemory(procAccess, (LPVOID)virtualMemSpace, dllPath, strlen(dllPath)+1, NULL);

    LPVOID loadLibAdd = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

    CreateRemoteThread(procAccess, 0, 0, (LPTHREAD_START_ROUTINE)loadLibAdd, (LPVOID)virtualMemSpace, NULL, NULL);

    CloseHandle(procAccess);
}


DLLMain func to call:
1
2
3
4
5
6
7
8
 
#include <iostream>
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE DLL, DWORD reason, LPVOID reserved){
    if(reason == DLL_PROCESS_ATTACH){
        std::cout << "The injection worked";
    }
}
Last edited on
Computergeek01 (5613)
What about this isn't working? If you find that "calc.exe" is crashing you could try calling 'LoadLibraryW' in the host process instead. Also, the calculator program isn't going to have a console window so I'm not sure what you're expecting to see here. I recommend 'MessageBoxW' instead. 'user32.dll' should already be loaded in that process IIRC so I don't think you'll have a problem with it.
Topic archived. No new replies allowed.