.:: Bots United ::. - View Single Post - CreateRemoteThread

koraX · *Last edited by koraX; 19-09-2004 at 22:29..*

a 'bit' more readable :

PHP Code:


			
HMODULE RemoteLoadModule( HANDLE hProcess, LPSTR lpModulepath )

{

    HANDLE hThread = INVALID_HANDLE_VALUE;

    DWORD dwLoadLibraryA = 0;

    LPVOID lpMemory = NULL;

    DWORD dwResult = 0;

    DWORD dwBytes = 0;

    int nPathlen = 0;



    nPathlen = strlen( lpModulepath );



    lpMemory = VirtualAllocEx( hProcess, 0, nPathlen, MEM_COMMIT, PAGE_EXECUTE_READWRITE );

    dwLoadLibraryA = ( DWORD ) GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );



    if ( lpMemory ) {

        if ( WriteProcessMemory( hProcess, lpMemory, lpModulepath, nPathlen, &dwBytes ) ) {

            hThread = CreateRemoteThread( hProcess, NULL, 0, ( LPTHREAD_START_ROUTINE ) dwLoadLibraryA, lpMemory, 0, NULL );



            if ( hThread != INVALID_HANDLE_VALUE ) {

                WaitForSingleObject( hThread, INFINITE );

                GetExitCodeThread( hThread, &dwResult );



                CloseHandle( hThread );

            }

        }



        VirtualFreeEx( hProcess, lpMemory, nPathlen, MEM_RELEASE );

    }



    return ( HMODULE ) dwResult;

}







BOOL CreateWithInject( LPCTSTR lpApplicationpath, LPCTSTR lpCurrentdirectory, LPTSTR lpCommandline, LPCTSTR lpInjectmodulepath, HMODULE* pRemoteModule ) {

    PROCESS_INFORMATION procInfo;

    STARTUPINFO startupInfo;

    HMODULE hRemote = NULL;

    DWORD dwEntrypoint = 0;

    BOOL bResult = FALSE;



    ZeroMemory( &procInfo, sizeof( PROCESS_INFORMATION ) );

    ZeroMemory( &startupInfo, sizeof( STARTUPINFO ) );



    if ( CreateProcess( lpApplicationpath, lpCommandline, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, lpCurrentdirectory, &startupInfo, &procInfo ) ) {

        hRemote = RemoteLoadModule( procInfo.hProcess, lpInjectmodulepath );



        if ( hRemote != NULL )

            bResult = TRUE;



        // TODO:

        // The function exists, free the remote ya lazy bastard :)



        ResumeThread( procInfo.hThread );

        WaitForSingleObject( procInfo.hThread, INFINITE );



        CloseHandle( procInfo.hProcess );

        CloseHandle( procInfo.hThread );

    }



    return bResult;

}

	(#2)
koraX Member Status: Offline Posts: 145 Join Date: Jan 2004 Location: Slovak Republic	Re: CreateRemoteThread - Strange behaviour - 19-09-2004 a 'bit' more readable : PHP Code: HMODULE RemoteLoadModule( HANDLE hProcess, LPSTR lpModulepath ) { HANDLE hThread = INVALID_HANDLE_VALUE; DWORD dwLoadLibraryA = 0; LPVOID lpMemory = NULL; DWORD dwResult = 0; DWORD dwBytes = 0; int nPathlen = 0; nPathlen = strlen( lpModulepath ); lpMemory = VirtualAllocEx( hProcess, 0, nPathlen, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); dwLoadLibraryA = ( DWORD ) GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" ); if ( lpMemory ) { if ( WriteProcessMemory( hProcess, lpMemory, lpModulepath, nPathlen, &dwBytes ) ) { hThread = CreateRemoteThread( hProcess, NULL, 0, ( LPTHREAD_START_ROUTINE ) dwLoadLibraryA, lpMemory, 0, NULL ); if ( hThread != INVALID_HANDLE_VALUE ) { WaitForSingleObject( hThread, INFINITE ); GetExitCodeThread( hThread, &dwResult ); CloseHandle( hThread ); } } VirtualFreeEx( hProcess, lpMemory, nPathlen, MEM_RELEASE ); } return ( HMODULE ) dwResult; } BOOL CreateWithInject( LPCTSTR lpApplicationpath, LPCTSTR lpCurrentdirectory, LPTSTR lpCommandline, LPCTSTR lpInjectmodulepath, HMODULE* pRemoteModule ) { PROCESS_INFORMATION procInfo; STARTUPINFO startupInfo; HMODULE hRemote = NULL; DWORD dwEntrypoint = 0; BOOL bResult = FALSE; ZeroMemory( &procInfo, sizeof( PROCESS_INFORMATION ) ); ZeroMemory( &startupInfo, sizeof( STARTUPINFO ) ); if ( CreateProcess( lpApplicationpath, lpCommandline, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, lpCurrentdirectory, &startupInfo, &procInfo ) ) { hRemote = RemoteLoadModule( procInfo.hProcess, lpInjectmodulepath ); if ( hRemote != NULL ) bResult = TRUE; // TODO: // The function exists, free the remote ya lazy bastard :) ResumeThread( procInfo.hThread ); WaitForSingleObject( procInfo.hThread, INFINITE ); CloseHandle( procInfo.hProcess ); CloseHandle( procInfo.hThread ); } return bResult; } kXBot koraX's utils - see my homepage for other projects (OpenGL CSG Editor, FAT16 Sim, NNetwork Sim, ...) Last edited by koraX; 19-09-2004 at 22:29..