C++ RSS C++ RSS

Windows Forms and remote thread

Please support our C++ advertiser: Intel Parallel Studio Home
Reply

Join Date: May 2008
Posts: 15
Reputation: somename is an unknown quantity at this point 
Solved Threads: 0
somename somename is offline Offline
Newbie Poster

Windows Forms and remote thread

 
0
  #1
Sep 26th, 2009
Hi there, i am trying to implement thread injection from my windows forms .NET project. Here is the code which works just fine from simple console app or Gtk+ gui application, but unfortunately not from .NET gui app.

C++ Syntax (Toggle Plain Text) 
  1. #define  NtCurrentThread()		           ((HANDLE) -2)
  2. #define  NtCurrentProcess()		           ((HANDLE) -1)
  3.  
  4. typedef DWORD (WINAPI *Rm_MessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
  5. #pragma warning( disable : 4996 )
  6.  
  7. typedef struct _Structure {
  8. PVOID RmMessageBoxA;
  9. char Message[MAX_PATH];
  10. char Title[MAX_PATH];
  11. } Structure;
  12.  
  13. Structure my_Structure,*pmy_Structure;
  14.  
  15. DWORD __stdcall ReThread(Structure *Parameter){
  16. Rm_MessageBoxA myMessageBoxA = (Rm_MessageBoxA)Parameter->RmMessageBoxA;
  17. myMessageBoxA(0, Parameter->Message, Parameter->Title,0);
  18. return 0;
  19. }
  20.  
  21. /* whole below function replacemenet with 1 line of code
  22. RtlAdjustPrivilege(20, TRUE, AdjustCurrentProcess, &en);
  23. */
  24. static BOOL SetPrivilege(char* SeNamePriv, BOOL EnableTF){
  25.    HANDLE hToken;
  26.    LUID SeValue;
  27.    TOKEN_PRIVILEGES tp;
  28.  
  29.    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))return FALSE;
  30.  
  31.    if (!LookupPrivilegeValue(NULL, SeNamePriv, &SeValue)){
  32.       CloseHandle(hToken);
  33.       return FALSE;
  34.    }
  35.  
  36.    tp.PrivilegeCount = 1;
  37.    tp.Privileges[0].Luid = SeValue;
  38.    tp.Privileges[0].Attributes = EnableTF ? SE_PRIVILEGE_ENABLED : 0;
  39.    AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
  40.    CloseHandle(hToken);
  41.    return TRUE;
  42. }
  43.  
  44. static DWORD GetPIDbyName(LPTSTR p_Name){
  45. 	HANDLE m_Snap;
  46. 	PROCESSENTRY32 pe = { sizeof(pe) };
  47. 	m_Snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  48. 	if (m_Snap == INVALID_HANDLE_VALUE) return 0; 
  49. 	if (!Process32First(m_Snap, &pe)) return 0;
  50.  
  51. 	do{
  52. 		if( !lstrcmpi(pe.szExeFile, p_Name)){		
  53. 			return pe.th32ProcessID;
  54. 		}
  55. 	} while (Process32Next(m_Snap, &pe));
  56.  
  57. 	CloseHandle(m_Snap);
  58. 	return 0;
  59. }
  60.  
  61. bool Load(){
  62.  
  63.     void *pThread; SIZE_T dwThreadSize=4000;
  64.     SetPrivilege("SeDebugPrivilege", TRUE);
  65. 	HANDLE RemoProc;
  66.     DWORD dwPid = GetPIDbyName("notepad.exe");
  67.     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
  68.     pThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
  69. 	if(pThread == NULL){MessageBoxA(0,"pThread == NULL","error",0); return false;}
  70. 	if(WriteProcessMemory(hProcess, pThread, (void *)ReThread, dwThreadSize,0) == 0){
  71. 	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
  72. 	return false;
  73. 	}
  74.     RtlZeroMemory(&my_Structure,sizeof(Structure));
  75.     HINSTANCE hUser;
  76.     hUser = LoadLibraryExA("user32.dll", NULL, 0);
  77. 	if(hUser == NULL){
  78. 	MessageBoxA(0,"hUser == NULL","error",0);
  79. 	return false;
  80. 	}
  81.     my_Structure.RmMessageBoxA = (void *) GetProcAddress(hUser, "MessageBoxA");
  82. 	if(my_Structure.RmMessageBoxA == NULL){
  83. 	MessageBoxA(0,"my_Structure.RmMessageBoxW == NULL","error",0);
  84. 	return false;
  85. 	}
  86.     strcpy(my_Structure.Message, "message");
  87.     strcpy(my_Structure.Title, "title");
  88.     DWORD dwSize = sizeof(Structure);
  89.     pmy_Structure =(Structure *)VirtualAllocEx (hProcess ,0,sizeof(Structure),MEM_COMMIT,PAGE_READWRITE);
  90. 	if(pmy_Structure == NULL){
  91. 	MessageBoxA(0,"pmy_Structure == NULL","error",0);
  92. 	return false;
  93. 	}
  94. 	if(WriteProcessMemory(hProcess ,pmy_Structure,&my_Structure,sizeof(my_Structure),0) == 0){
  95. 	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
  96. 	return false;
  97. 	}
  98.     RemoProc = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pThread, (PVOID)pmy_Structure, 0, NULL);
  99. 	if(RemoProc == NULL){
  100. 	MessageBoxA(0,"CreateRemoteThread failed!","error",0);
  101. 	return false;
  102. 	}
  103. 	return true;    
  104. }

In my .NET project it gets executed like this:

C++ Syntax (Toggle Plain Text) 
  1. private: void button1_Click( Object^ /*sender*/, System::EventArgs^ /*e*/ )
  2. 	{
  3. 		if(Load() == false){
  4. 		MessageBoxA(0,"Load function failed!","error",0);
  5. 		} else {
  6. 		MessageBoxA(0,"Load function succeed!","success",0);
  7. 		}
  8. 	}
Now it seems like thread get injected but notepad crashes after that. I should mention that i am working with .NET framework for about a couple of days now and mainly using it for creating GUI - all other functionality is implemented with usage of win32 functions.
Well, i have found a code for thread injection in windows forms .NET but that is not what i am looking for. Whole thread injection routine will be implemented with usage of pure windows native functions (for example not CreateRemoteThread but RtlCreateUserThread / NtCreateThread and so on) and, it will be pretty complex thread so i want to implement it in the way above. So my questions are: could it be done like this in Windows Froms .NET application? And what is wrong about the code above? And if it could not be implemented like this, then which way i can do it?
Thanks in advance,
cheers.
Reply With Quote Quick reply to this message  
Reply

Tags
Tags
forms, net, remote, thread, windows

Quick Reply to Thread
Message:



Similar Threads
Other Threads in the C++ Forum
Thread Tools Search this Thread



.net 7 access acer advertising antivirus apple beta billgates browser business c# clone code command commandprompt computer console dell desktop desktops developers development dropdownlist economy europe explorer forms france freesoftware gartner google hardware ie7 intel internet internetexplorer iphone itunes java laptops leopard linux mac macosx malware microsoft mobile mysql net netbooks news novell office open opensource openvz operating operatingsystem operatingsystems os osx parliament patents pc photonvps php programming prompt redhat registry remote root safari security server servers software sp1 switching system thread tiger touchscreen tweaks ubuntu unix unmanaged update upgrade virtualization vista vmware web windows windows7 wpf xen xp yahoo
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC