|
CreateRemoteThread - Strange behaviour
Note: This has nothing to do with Half-Life at all.
BUGBUGBUG: Code sections are not accepting newlines? All my code appeared on a single line. For some reason using CreateRemoteThread to inject a dll into a remote process causes it to either not load or behave strangely. Notepad: Dll injected, DllMain Callled and exits after DllMain returns Solitaire: Dll injected, DllMain Called, loads but about menu doesn't work aswell as the options menu refreshes the deck instead. This is really strange, does anyone have an idea as to why this is happening? HMODULE RemoteLoadModule( HANDLE hProcess, LPSTR lpModulepath ) { HANDLE hThread = INVALID_HANDLE_VALUE; DWORD dwLoadLibraryA = 0; LPVOID lpMemory = NULL; DWORD dwResult = 0; DWORD dwBytes = 0; int nPathlen = 0; nPathlen = strlen( lpModulepath ); lpMemory = VirtualAllocEx( hProcess, 0, nPathlen, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); dwLoadLibraryA = ( DWORD ) GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" ); if ( lpMemory ) { if ( WriteProcessMemory( hProcess, lpMemory, lpModulepath, nPathlen, &dwBytes ) ) { hThread = CreateRemoteThread( hProcess, NULL, 0, ( LPTHREAD_START_ROUTINE ) dwLoadLibraryA, lpMemory, 0, NULL ); if ( hThread != INVALID_HANDLE_VALUE ) { WaitForSingleObject( hThread, INFINITE ); GetExitCodeThread( hThread, &dwResult ); CloseHandle( hThread ); } } VirtualFreeEx( hProcess, lpMemory, nPathlen, MEM_RELEASE ); } return ( HMODULE ) dwResult; } BOOL CreateWithInject( LPCTSTR lpApplicationpath, LPCTSTR lpCurrentdirectory, LPTSTR lpCommandline, LPCTSTR lpInjectmodulepath, HMODULE* pRemoteModule ) { PROCESS_INFORMATION procInfo; STARTUPINFO startupInfo; HMODULE hRemote = NULL; DWORD dwEntrypoint = 0; BOOL bResult = FALSE; ZeroMemory( &procInfo, sizeof( PROCESS_INFORMATION ) ); ZeroMemory( &startupInfo, sizeof( STARTUPINFO ) ); if ( CreateProcess( lpApplicationpath, lpCommandline, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, lpCurrentdirectory, &startupInfo, &procInfo ) ) { hRemote = RemoteLoadModule( procInfo.hProcess, lpInjectmodulepath ); if ( hRemote != NULL ) bResult = TRUE; // TODO: // The function exists, free the remote ya lazy bastard :) ResumeThread( procInfo.hThread ); WaitForSingleObject( procInfo.hThread, INFINITE ); CloseHandle( procInfo.hProcess ); CloseHandle( procInfo.hThread ); } return bResult; } |
Re: CreateRemoteThread - Strange behaviour
a 'bit' more readable :
PHP Code:
|
Re: CreateRemoteThread - Strange behaviour
Just a few notes, maybe it will help :
- perform only simple tasks in dllmain(). DO NOT load/free other libraries in dllmain(). (I know in most bots they call freelibrary to free game DLL file from dllmain(), but it is not good :)) See here for more info. Quote:
- http://weblogs.asp.net/oldnewthing/a.../28/63880.aspx |
Re: CreateRemoteThread - Strange behaviour
It had the same result both times even when DllMain did nothing and just returned TRUE.
This also only happens when the process is created with the CREATE_SUSPENDED flag. But since that is the only time where IAT patching is useful, injection afterwards is basically useless. I have had success with proxy dlls but they take a loong time to make and does not work with kernel32.dll functions. There was also another method where you overwrote the entrypoint with your code, let it execute and restored the original. The problem with that was I tried writing 0xCD03 ( equal to __asm int 3 ) and the application would refuse to start. |
| All times are GMT +2. The time now is 05:46. |
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.