C++

Forum

 
CreateRemoteThread - ERROR_ACCESS_DENIED

Kalist (14)
I think my code is finally working now. Only problem is that for some reason, even though I've opened the process with PROCESS_ALL_ACCESS, CreateRemoteThread throws back an error: ERROR_ACCESS_DENIED.

The error was retrieved with GetLastError() and it spit out '5', which translates to ERROR_ACCESS_DENIED.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
#include <iostream>
#include <windows.h>
#include <TlHelp32.h>

char* dllPath = "C:\\Users\\Kalist\\Desktop\\Projects\\DLL\\bin\\Debug\\DLL.dll";
char* ProcToInject = "calc.exe";

int main(){
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if(procSnap == INVALID_HANDLE_VALUE){
        std::cout << "Snapshot function failed" << std::endl;
    }

    DWORD procID = 0;
        if(Process32First(procSnap, &pe32)){
            do{
               if(!strcmp(pe32.szExeFile, ProcToInject)){
                    procID = pe32.th32ProcessID;
                    break;
               }
            }while(Process32Next(procSnap, &pe32));
        }
    CloseHandle(procSnap);

    if(procID != 0){

        HANDLE procAccess = OpenProcess(PROCESS_ALL_ACCESS, false, procID);
        if(procAccess == NULL){
            std::cout << "OpenProcess error: " << GetLastError() << std::endl;
        }

        LPVOID remoteString = (LPVOID)VirtualAllocEx(procAccess, NULL, strlen(dllPath)+1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if(remoteString == NULL){
            std::cout << "VirtualAllocEx error: " << GetLastError() << std::endl;
        }

        bool memoryWritten = WriteProcessMemory(procAccess, (LPVOID)remoteString, dllPath, strlen(dllPath)+1, NULL);
        if(memoryWritten == 0){
            std::cout << "WriteProcessMemory error: " << GetLastError() << std::endl;
        }

        LPVOID getLibAdd = (LPVOID)GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
        if(getLibAdd == NULL){
            std::cout << "GetProcAddress error: " << GetLastError() << std::endl;
        }

        HANDLE remoteThread = CreateRemoteThread(procAccess, NULL, 0, (LPTHREAD_START_ROUTINE)getLibAdd, (LPVOID)remoteString, 0, NULL);
        if(remoteThread == NULL){
            std::cout << "CreateRemoteThread error: " << GetLastError() << std::endl;
        }
        CloseHandle(procAccess);
    }else{
        std::cout << "Failed to retrieve procID" << std::endl;
    }
}
Last edited on
modoran (2077)
Try not use PROCESS_ALL_ACCESS and use exactly the privileges described here:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx


It is by any chance your system 64 bit and you are using a 32 bit process ? You will get acess denied in that case too.
Last edited on
veridetour91 (1)
Hello,

First thing I would like to check is are you running your test program (the program you have made to use CreateRemoteThread) as Administrator?

If you cannot do this for whatever, you can attempt to modify the tokens of your process to make your process have SE_DEBUG_NAME privileges.

To do this, you can use the OpenProcessToken and SetPrivilege functions.

The second thing I would like to mention is if you changed the process target to "calc.exe" just to post this thread (for example, if you were really trying to inject into security software), the chances are it would be a protected process, hence this would not work. To interact with protected processes (security software protect their processes), you would require a kernel-mode driver.

Maybe you were not, just thought I'd mention it say on case!

Lastly, I have compiled the source code successfully and tested it. The code works, the injection succeeds for me. Want to know why? It's because you must make the architecture of the build the same as the target process to be injected. For example, if your program is x86 and your process is x64, it will not work. (as @modoran mentioned).

Thanks. Maybe my little comments above will be helpful though, or to someone else in the future anyway.
Topic archived. No new replies allowed.