Windows Forms and remote thread

Expand Post »

Hi there, i am trying to implement thread injection from my windows forms .NET project. Here is the code which works just fine from simple console app or Gtk+ gui application, but unfortunately not from .NET gui app.

C++ Syntax (Toggle Plain Text)
#define  NtCurrentThread()		           ((HANDLE) -2)
#define  NtCurrentProcess()		           ((HANDLE) -1)
 
typedef DWORD (WINAPI *Rm_MessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
#pragma warning( disable : 4996 )
 
typedef struct _Structure {
PVOID RmMessageBoxA;
char Message[MAX_PATH];
char Title[MAX_PATH];
} Structure;
 
Structure my_Structure,*pmy_Structure;
 
DWORD __stdcall ReThread(Structure *Parameter){
Rm_MessageBoxA myMessageBoxA = (Rm_MessageBoxA)Parameter->RmMessageBoxA;
myMessageBoxA(0, Parameter->Message, Parameter->Title,0);
return 0;
}
 
/* whole below function replacemenet with 1 line of code
RtlAdjustPrivilege(20, TRUE, AdjustCurrentProcess, &en);
*/
static BOOL SetPrivilege(char* SeNamePriv, BOOL EnableTF){
   HANDLE hToken;
   LUID SeValue;
   TOKEN_PRIVILEGES tp;
 
   if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))return FALSE;
 
   if (!LookupPrivilegeValue(NULL, SeNamePriv, &SeValue)){
      CloseHandle(hToken);
      return FALSE;
   }
 
   tp.PrivilegeCount = 1;
   tp.Privileges[0].Luid = SeValue;
   tp.Privileges[0].Attributes = EnableTF ? SE_PRIVILEGE_ENABLED : 0;
   AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
   CloseHandle(hToken);
   return TRUE;
}
 
static DWORD GetPIDbyName(LPTSTR p_Name){
	HANDLE m_Snap;
	PROCESSENTRY32 pe = { sizeof(pe) };
	m_Snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if (m_Snap == INVALID_HANDLE_VALUE) return 0; 
	if (!Process32First(m_Snap, &pe)) return 0;
 
	do{
		if( !lstrcmpi(pe.szExeFile, p_Name)){		
			return pe.th32ProcessID;
		}
	} while (Process32Next(m_Snap, &pe));
 
	CloseHandle(m_Snap);
	return 0;
}
 
bool Load(){
 
    void *pThread; SIZE_T dwThreadSize=4000;
    SetPrivilege("SeDebugPrivilege", TRUE);
	HANDLE RemoProc;
    DWORD dwPid = GetPIDbyName("notepad.exe");
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    pThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	if(pThread == NULL){MessageBoxA(0,"pThread == NULL","error",0); return false;}
	if(WriteProcessMemory(hProcess, pThread, (void *)ReThread, dwThreadSize,0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RtlZeroMemory(&my_Structure,sizeof(Structure));
    HINSTANCE hUser;
    hUser = LoadLibraryExA("user32.dll", NULL, 0);
	if(hUser == NULL){
	MessageBoxA(0,"hUser == NULL","error",0);
	return false;
	}
    my_Structure.RmMessageBoxA = (void *) GetProcAddress(hUser, "MessageBoxA");
	if(my_Structure.RmMessageBoxA == NULL){
	MessageBoxA(0,"my_Structure.RmMessageBoxW == NULL","error",0);
	return false;
	}
    strcpy(my_Structure.Message, "message");
    strcpy(my_Structure.Title, "title");
    DWORD dwSize = sizeof(Structure);
    pmy_Structure =(Structure *)VirtualAllocEx (hProcess ,0,sizeof(Structure),MEM_COMMIT,PAGE_READWRITE);
	if(pmy_Structure == NULL){
	MessageBoxA(0,"pmy_Structure == NULL","error",0);
	return false;
	}
	if(WriteProcessMemory(hProcess ,pmy_Structure,&my_Structure,sizeof(my_Structure),0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RemoProc = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pThread, (PVOID)pmy_Structure, 0, NULL);
	if(RemoProc == NULL){
	MessageBoxA(0,"CreateRemoteThread failed!","error",0);
	return false;
	}
	return true;    
}
#define  NtCurrentThread()		           ((HANDLE) -2)
#define  NtCurrentProcess()		           ((HANDLE) -1)

typedef DWORD (WINAPI *Rm_MessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
#pragma warning( disable : 4996 )

typedef struct _Structure {
PVOID RmMessageBoxA;
char Message[MAX_PATH];
char Title[MAX_PATH];
} Structure;

Structure my_Structure,*pmy_Structure;

DWORD __stdcall ReThread(Structure *Parameter){
Rm_MessageBoxA myMessageBoxA = (Rm_MessageBoxA)Parameter->RmMessageBoxA;
myMessageBoxA(0, Parameter->Message, Parameter->Title,0);
return 0;
}

/* whole below function replacemenet with 1 line of code
RtlAdjustPrivilege(20, TRUE, AdjustCurrentProcess, &en);
*/
static BOOL SetPrivilege(char* SeNamePriv, BOOL EnableTF){
   HANDLE hToken;
   LUID SeValue;
   TOKEN_PRIVILEGES tp;

   if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))return FALSE;
   
   if (!LookupPrivilegeValue(NULL, SeNamePriv, &SeValue)){
      CloseHandle(hToken);
      return FALSE;
   }
   
   tp.PrivilegeCount = 1;
   tp.Privileges[0].Luid = SeValue;
   tp.Privileges[0].Attributes = EnableTF ? SE_PRIVILEGE_ENABLED : 0;
   AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
   CloseHandle(hToken);
   return TRUE;
}

static DWORD GetPIDbyName(LPTSTR p_Name){
	HANDLE m_Snap;
	PROCESSENTRY32 pe = { sizeof(pe) };
	m_Snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if (m_Snap == INVALID_HANDLE_VALUE) return 0; 
	if (!Process32First(m_Snap, &pe)) return 0;
	
	do{
		if( !lstrcmpi(pe.szExeFile, p_Name)){		
			return pe.th32ProcessID;
		}
	} while (Process32Next(m_Snap, &pe));

	CloseHandle(m_Snap);
	return 0;
}

bool Load(){

    void *pThread; SIZE_T dwThreadSize=4000;
    SetPrivilege("SeDebugPrivilege", TRUE);
	HANDLE RemoProc;
    DWORD dwPid = GetPIDbyName("notepad.exe");
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    pThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	if(pThread == NULL){MessageBoxA(0,"pThread == NULL","error",0); return false;}
	if(WriteProcessMemory(hProcess, pThread, (void *)ReThread, dwThreadSize,0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RtlZeroMemory(&my_Structure,sizeof(Structure));
    HINSTANCE hUser;
    hUser = LoadLibraryExA("user32.dll", NULL, 0);
	if(hUser == NULL){
	MessageBoxA(0,"hUser == NULL","error",0);
	return false;
	}
    my_Structure.RmMessageBoxA = (void *) GetProcAddress(hUser, "MessageBoxA");
	if(my_Structure.RmMessageBoxA == NULL){
	MessageBoxA(0,"my_Structure.RmMessageBoxW == NULL","error",0);
	return false;
	}
    strcpy(my_Structure.Message, "message");
    strcpy(my_Structure.Title, "title");
    DWORD dwSize = sizeof(Structure);
    pmy_Structure =(Structure *)VirtualAllocEx (hProcess ,0,sizeof(Structure),MEM_COMMIT,PAGE_READWRITE);
	if(pmy_Structure == NULL){
	MessageBoxA(0,"pmy_Structure == NULL","error",0);
	return false;
	}
	if(WriteProcessMemory(hProcess ,pmy_Structure,&my_Structure,sizeof(my_Structure),0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RemoProc = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pThread, (PVOID)pmy_Structure, 0, NULL);
	if(RemoProc == NULL){
	MessageBoxA(0,"CreateRemoteThread failed!","error",0);
	return false;
	}
	return true;    
}

In my .NET project it gets executed like this:

C++ Syntax (Toggle Plain Text)
private: void button1_Click( Object^ /*sender*/, System::EventArgs^ /*e*/ )
	{
		if(Load() == false){
		MessageBoxA(0,"Load function failed!","error",0);
		} else {
		MessageBoxA(0,"Load function succeed!","success",0);
		}
	}
private: void button1_Click( Object^ /*sender*/, System::EventArgs^ /*e*/ )
	{
		if(Load() == false){
		MessageBoxA(0,"Load function failed!","error",0);
		} else {
		MessageBoxA(0,"Load function succeed!","success",0);
		}
	}

Now it seems like thread get injected but notepad crashes after that. I should mention that i am working with .NET framework for about a couple of days now and mainly using it for creating GUI - all other functionality is implemented with usage of win32 functions.
Well, i have found a code for thread injection in windows forms .NET but that is not what i am looking for. Whole thread injection routine will be implemented with usage of pure windows native functions (for example not CreateRemoteThread but RtlCreateUserThread / NtCreateThread and so on) and, it will be pretty complex thread so i want to implement it in the way above. So my questions are: could it be done like this in Windows Froms .NET application? And what is wrong about the code above? And if it could not be implemented like this, then which way i can do it?
Thanks in advance,
cheers.

Similar Threads

Window Timer in a new Thread in C#
How to display variables in Windows Forms Aplication? in C++
Thread's colliding? in C#
autoscroll is not a member of Systems.Windows.Forms.Panel in VB.NET
About Windows Forms C# .net 2003 in C#

somename

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

17 posts
since May 2008

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in C++ Forum Timeline: locking needed for simple addition?

Next Thread in C++ Forum Timeline: Number Guessing Game

DaniWeb Message

Cancel Changes

User Name
Password