Simple CreateRemoteThread Injection?

[t7ancients]

Code:

#include<stdio.h>
#include<iostream>
#include<windows.h>

using namespace std;

int main()
{
    cout << "Enter the target's MainWindow name: ";
    char* WindowName;
    *WindowName = cin.get();
    cout << endl;
    cout << "Enter dll name: ";
    char* DllName;
    *DllName = cin.get();
    HWND WindowHandle = FindWindow(NULL, WindowName);
    DWORD* ProcId = new DWORD;
    GetWindowThreadProcessId(WindowHandle, ProcId);
    HANDLE ProcHandle = OpenProcess(PROCESS_CREATE_THREAD, FALSE, *ProcId);
    LPVOID LoadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibrary");
    LPVOID RemoteStringAddress = (LPVOID)VirtualAllocEx(ProcHandle, NULL, strlen(DllName), MEM_RESERVE|MEM_COMMIT,  PAGE_READWRITE);
    WriteProcessMemory(ProcHandle, (LPVOID)RemoteStringAddress, DllName, strlen(DllName), NULL);
    CreateRemoteThread(ProcHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryAddress, (LPVOID)RemoteStringAddress, NULL, NULL);
    CloseHandle(ProcHandle);
    return 0;
}

I get an access denied error (Exception Code 'c0000005' or some shit), what am I doing wrong? I'm sort of just getting back into C/C++ stuff, and I could use a little help. :3

[Void]

The exact error would be nice.

dat non-indentation.

Try removing the user input shit and try hardcoding the window name and path to the dll.

[MarkHC]

Try to open the process with PROCESS_ALL_ACCESS... and indent your code for god's sake...

[t7ancients]

Sorry guys, I wrote it in notepad while I was in class. And insane, is it better to use PROCESS_ALL_ACCESS when you're just creating a thread? I forgot my flash drive at home, I'll get the exact error details tonight. I appreciate your help guys. I'll also try hardcoding the strings and see if that works.

[radnomguywfq3]

Code:

    char* WindowName;
    *WindowName = cin.get();

*facepalm* you guys. This is your problem.

You are dereferencing a dangling pointer. Also, that doesn't achieve what you think it does. std::cin::get will read one character from the input stream (the console window.)

std::cin::getline is what you're looking for:
https://www.cplusplus.com/reference/string/getline/

Code:

    DWORD* ProcId = new DWORD;
    GetWindowThreadProcessId(WindowHandle, ProcId);

Your allocating a new DWORD in the heap, and then you aren't deallocating it using the delete keyword. Just allocate it on the stack by using a local variable and passing a pointer to GetWindowThreadProcessId by using the reference operator:

Code:

    DWORD dwProcId = 0;
    GetWindowThreadProcessId(WindowHandle, &dwProcId);

Also...

Code:

    LPVOID LoadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibrary");

LoadLibrary is a macro that directs is defined as either LoadLibraryA or LoadLibraryW depending on the compiler configuration (multi-byte or wide-character...) just use LoadLibraryA as the API name because your dllnam is encoded as multi-byte.

Finally, you can (if you want) treat the Thread Handle as a mutex object, and wait for it to go in to a signaled state then deallocate the memory you allocated just to clean up a bit.

[[MPGH]master131]

Code:

HANDLE ProcHandle = OpenProcess(PROCESS_CREATE_THREAD, FALSE, *ProcId);

That will produce a handle that will not have enough access to inject. Here is what you need (taken from each function's remarks on MSDN):
VirtualAllocEx - PROCESS_VM_OPERATION
WriteProcessMemory - PROCESS_VM_WRITE and PROCESS_VM_OPERATION
CreateRemoteThread - PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ

So, it should look like this (with Jetamay's fix):

Code:

HANDLE ProcHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION, PROCESS_VM_READ, FALSE, dwProcId);

[t7ancients]

Thanks for the pointers(haha, punny) guys, it's working now. While we're on the subject, how does the WriteProcessMemory injection method work? Do you write shellcode to the target process or can you just write a function by it's address? Also, how do you get the size of a function in memory?

[[MPGH]master131]

Thanks for the pointers(haha, punny) guys, it's working now. While we're on the subject, how does the WriteProcessMemory injection method work? Do you write shellcode to the target process or can you just write a function by it's address? Also, how do you get the size of a function in memory?

What WriteProcessMemory method? In the CreateRemoteThread method, it just writes the path of the DLL to inject into the target process. If you're referring to like, writing some sort of stub into the process well you write the assembly representation of your code into the target process and run it using CreateRemoteThread (or some other method like thread hijacking). Note sure if you can get the size of a function in memory really... Perhaps if you kept counting until you hit INT3 (0xCC) perhaps, that might indicate the end of the function but not sure that's really reliable.

[giniyat101]

Code:

BOOL Inject(DWORD pid, LPCSTR dllpath)
{
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if (!hProc)
	{
		cout << "OpenProcess failed" << endl;
		return FALSE;
	}

	VOID* remoteStr = VirtualAllocEx(hProc, NULL, strlen(dllpath+1), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
	if (!remoteStr)
	{
		CloseHandle(hProc);
		cout << "VirtualAllocEx failed" << endl;
		return FALSE;
	}

	if (!WriteProcessMemory(hProc, remoteStr, dllpath, strlen(dllpath), NULL))
	{
		VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE);
		CloseHandle(hProc);
		cout << "WriteProcessMemory failed" << endl;
		return FALSE;
	}

	LPTHREAD_START_ROUTINE locLLA = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
	if (!locLLA)
	{
		VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE);
		CloseHandle(hProc);
		cout << "GetProcAddress failed" << endl;
		return FALSE;
	}

	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, locLLA, remoteStr, 0, NULL);
	if (!hThread)
	{
		VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE);
		CloseHandle(hProc);
		cout << "CreateRemoteThread failed" << endl;
		return FALSE;
	}

	WaitForSingleObject(hThread, INFINITE);

	CloseHandle(hThread);
	VirtualFreeEx(hProc, remoteStr, strlen(dllpath-1), MEM_RELEASE);
	CloseHandle(hProc);
	return TRUE;
}

int main()
{
    char szWinName[100], szDllName[100];
    cout << "Enter the target's MainWindow name: ";
    cin  << szWinName;
    cout << endl
	cout << "Enter dll name: ";
    cin  << szDllName;
	cout << endl;

    HWND hWnd = FindWindowA(NULL, szWinName);
	if (!hWnd)
	{
		cout << "couldnt find window" << endl;
		return 0;
	}

	DWORD dwID;
	GetWindowThreadProcessId(hWnd, &dwID);
	if (!dwID)
	{
		cout << "GetWindowThreadProcessId failed" << endl;
		return 0;
	}

	if (Inject(dwID, szDllName))
	{
		cout << "injection succeeded" << endl;
	}
	return 0;
}

hope i helped.

---------- Post added at 11:03 AM ---------- Previous post was at 10:59 AM ----------

Thanks for the pointers(haha, punny) guys, it's working now. While we're on the subject, how does the WriteProcessMemory injection method work? Do you write shellcode to the target process or can you just write a function by it's address? Also, how do you get the size of a function in memory?

dynamicly getting function size? strange
try finding nearest INT3 block (about 5 of them) but dont count on that, i have seen nop blocks on some systems too.
and what does WriteProcessMemory injection means?

[radnomguywfq3]

Thanks for the pointers(haha, punny) guys, it's working now. While we're on the subject, how does the WriteProcessMemory injection method work? Do you write shellcode to the target process or can you just write a function by it's address? Also, how do you get the size of a function in memory?

The WPM shell-code injection is fucking stupid because it is basically a longated version of the method you just did (Unless you have a particular purpose for the shell-code?.)

Basically, you write something like this

Code:

push seriesOfDwordsOfSuchThatYouWriteTheDllNameInMultiByte
push esp
call LoadLibraryA

You write that into process memory and create a thread at the origin (CreateRemoteThread).

You can also use my PE Loader module in my signature. Dat shit is recon.