somename 0 Newbie Poster

Hi there, i am trying to implement thread injection from my windows forms .NET project. Here is the code which works just fine from simple console app or Gtk+ gui application, but unfortunately not from .NET gui app.

#define  NtCurrentThread()		           ((HANDLE) -2)
#define  NtCurrentProcess()		           ((HANDLE) -1)

typedef DWORD (WINAPI *Rm_MessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
#pragma warning( disable : 4996 )

typedef struct _Structure {
PVOID RmMessageBoxA;
char Message[MAX_PATH];
char Title[MAX_PATH];
} Structure;

Structure my_Structure,*pmy_Structure;

DWORD __stdcall ReThread(Structure *Parameter){
Rm_MessageBoxA myMessageBoxA = (Rm_MessageBoxA)Parameter->RmMessageBoxA;
myMessageBoxA(0, Parameter->Message, Parameter->Title,0);
return 0;
}

/* whole below function replacemenet with 1 line of code
RtlAdjustPrivilege(20, TRUE, AdjustCurrentProcess, &en);
*/
static BOOL SetPrivilege(char* SeNamePriv, BOOL EnableTF){
   HANDLE hToken;
   LUID SeValue;
   TOKEN_PRIVILEGES tp;

   if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))return FALSE;
   
   if (!LookupPrivilegeValue(NULL, SeNamePriv, &SeValue)){
      CloseHandle(hToken);
      return FALSE;
   }
   
   tp.PrivilegeCount = 1;
   tp.Privileges[0].Luid = SeValue;
   tp.Privileges[0].Attributes = EnableTF ? SE_PRIVILEGE_ENABLED : 0;
   AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
   CloseHandle(hToken);
   return TRUE;
}

static DWORD GetPIDbyName(LPTSTR p_Name){
	HANDLE m_Snap;
	PROCESSENTRY32 pe = { sizeof(pe) };
	m_Snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if (m_Snap == INVALID_HANDLE_VALUE) return 0; 
	if (!Process32First(m_Snap, &pe)) return 0;
	
	do{
		if( !lstrcmpi(pe.szExeFile, p_Name)){		
			return pe.th32ProcessID;
		}
	} while (Process32Next(m_Snap, &pe));

	CloseHandle(m_Snap);
	return 0;
}

bool Load(){

    void *pThread; SIZE_T dwThreadSize=4000;
    SetPrivilege("SeDebugPrivilege", TRUE);
	HANDLE RemoProc;
    DWORD dwPid = GetPIDbyName("notepad.exe");
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    pThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	if(pThread == NULL){MessageBoxA(0,"pThread == NULL","error",0); return false;}
	if(WriteProcessMemory(hProcess, pThread, (void *)ReThread, dwThreadSize,0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RtlZeroMemory(&my_Structure,sizeof(Structure));
    HINSTANCE hUser;
    hUser = LoadLibraryExA("user32.dll", NULL, 0);
	if(hUser == NULL){
	MessageBoxA(0,"hUser == NULL","error",0);
	return false;
	}
    my_Structure.RmMessageBoxA = (void *) GetProcAddress(hUser, "MessageBoxA");
	if(my_Structure.RmMessageBoxA == NULL){
	MessageBoxA(0,"my_Structure.RmMessageBoxW == NULL","error",0);
	return false;
	}
    strcpy(my_Structure.Message, "message");
    strcpy(my_Structure.Title, "title");
    DWORD dwSize = sizeof(Structure);
    pmy_Structure =(Structure *)VirtualAllocEx (hProcess ,0,sizeof(Structure),MEM_COMMIT,PAGE_READWRITE);
	if(pmy_Structure == NULL){
	MessageBoxA(0,"pmy_Structure == NULL","error",0);
	return false;
	}
	if(WriteProcessMemory(hProcess ,pmy_Structure,&my_Structure,sizeof(my_Structure),0) == 0){
	MessageBoxA(0,"WriteProcessMemory failed!","error",0);
	return false;
	}
    RemoProc = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pThread, (PVOID)pmy_Structure, 0, NULL);
	if(RemoProc == NULL){
	MessageBoxA(0,"CreateRemoteThread failed!","error",0);
	return false;
	}
	return true;    
}

In my .NET project it gets executed like this:

private: void button1_Click( Object^ /*sender*/, System::EventArgs^ /*e*/ )
	{
		if(Load() == false){
		MessageBoxA(0,"Load function failed!","error",0);
		} else {
		MessageBoxA(0,"Load function succeed!","success",0);
		}
	}

Now it seems like thread get injected but notepad crashes after that. I should mention that i am working with .NET framework for about a couple of days now and mainly using it for creating GUI - all other functionality is implemented with usage of win32 functions.
Well, i have found a code for thread injection in windows forms .NET but that is not what i am looking for. Whole thread injection routine will be implemented with usage of pure windows native functions (for example not CreateRemoteThread but RtlCreateUserThread / NtCreateThread and so on) and, it will be pretty complex thread so i want to implement it in the way above. So my questions are: could it be done like this in Windows Froms .NET application? And what is wrong about the code above? And if it could not be implemented like this, then which way i can do it?
Thanks in advance,
cheers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.