0ron Posted January 30, 2010 Posted January 30, 2010 Ok so I'm messing around with injecting dll's into other processes. The code I have works perfectly fine on any 32 bit machine but completely blows up on W7 64 bit. If it's compiled for pure 32 bit it works ok but only with 32 bit programs. I'm getting "CreateRemoteThread exited with error 8" Any ideas? public unsafe static bool LoadRemoteLibrary(Process process, string Dll2Inject, out IntPtr lpModule) { lpModule = IntPtr.Zero; if (!File.Exists(Dll2Inject)) { throw new FileNotFoundException(String.Format("PE File '{0}' not found.", Dll2Inject)); } UnicodeEncoding enc = new UnicodeEncoding(); byte[] rawdllStr = enc.GetBytes(Dll2Inject); byte[] aDllBytes = new byte[rawdllStr.Length + 2]; rawdllStr.CopyTo(aDllBytes, 0); aDllBytes[aDllBytes.Length - 2] = 0; aDllBytes[aDllBytes.Length - 1] = 0; IntPtr lpLoadAddress = ProcessHelper.GetRemoteAddress(process, "Kernel32.dll", "LoadLibraryW", 0); if (lpLoadAddress == IntPtr.Zero) { throw new Exception("Could not resolve remote address"); } // Allocate memory for the string in the target process IntPtr lpDllString = Kernel32.VirtualAllocEx(process.Handle, IntPtr.Zero, (uint)aDllBytes.Length, MEM_COMMIT, PAGE_READWRITE); if (lpDllString == IntPtr.Zero) throw new Exception("VirtualAllocEx failed with error code " + Convert.ToString(Marshal.GetLastWin32Error()) + "."); try { IntPtr bytesWritten; fixed (byte* dllRef = aDllBytes) { if (!Kernel32.WriteProcessMemory(process.Handle, lpDllString, dllRef, new IntPtr(aDllBytes.Length), out bytesWritten)) throw new Exception("WriteProcessMemory failed with error code " + Convert.ToString(Marshal.GetLastWin32Error()) + "."); } uint ThreadID = 0; IntPtr hRemoteThread = Kernel32.CreateRemoteThread(process.Handle, IntPtr.Zero, IntPtr.Zero, lpLoadAddress , lpDllString, CREATE_SUSPENDED, out ThreadID); if (hRemoteThread == IntPtr.Zero) throw new Exception("CreateRemoteThread failed with error code " + Convert.ToString(Marshal.GetLastWin32Error()) + ".");...
revert Posted January 30, 2010 Posted January 30, 2010 Erm, are you trying to inject a 32bit DLL in a 64bit process?
0ron Posted January 31, 2010 Author Posted January 31, 2010 Erm, are you trying to inject a 32bit DLL in a 64bit process?Nope, 64 bit dll into a 64 bit process. Can't seem to get it to work.
ghandi Posted February 1, 2010 Posted February 1, 2010 1. Does your process have debug privileges?2. Have you run your process as Administor so it has elevated privileges? LUID luid; TOKEN_PRIVILEGES tp; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ); tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);HR,Ghandi
revert Posted February 1, 2010 Posted February 1, 2010 Maybe it's a protected process. Try it with calc.exe first. Try doing like Ghandi suggested as well. Call Process.EnterDebugMode() before injecting.Greetz,revert
Killboy Posted February 1, 2010 Posted February 1, 2010 Try removing the CREATE_SUSPENDED, unless you call ResumeThread on the handle sometime later.As far as I remember, debug privileges are only needed for calling OpenProcess on a protected (system) process.Have you checked if process.Handle is valid?Most likely admin privileges are needed for some process APIs, you might find UAC interfering on top of that.For some reason, MSDN doesn't explicitly mention which APIs need admin privileges and which don't :|
0ron Posted February 3, 2010 Author Posted February 3, 2010 Thanks for the ideas but still no success. I already call Process.EnterDebugMode(). I'm running as administrator as well and it is a 64 bit dll into a 64 bit process. I'm thinking its an issue with a pointer or a value I'm passing. I think code 8 is "Not enough memory" correct? And with 8GB of ram I know I have enough. Ok just tried it with calc. Works fine so I guess permissions issue? So any ideas on a fix?
revert Posted February 3, 2010 Posted February 3, 2010 Could you tell me what process you are testing with? PM it to me if you like.I'll take a closer look.regards,revert
0ron Posted February 3, 2010 Author Posted February 3, 2010 Could you tell me what process you are testing with? PM it to me if you like.I'll take a closer look.regards,revertI've done a bit more testing. Looks like you can only inject into processes you own. Do you know if there is a way to get the name of owner of the process?
revert Posted February 3, 2010 Posted February 3, 2010 I do not think that this is your problem but rather Windows Integrity Control. Take a look with ProcessExplorer (sysinternal) at the process you want to inject the DLL. Make sure 'Integrity Level' is checked in the columns.Is the process marked as 'System'?
guan Posted February 5, 2010 Posted February 5, 2010 Hi, First of all, be careful when you Open the target process, the constant PROCESS_ALL_ACCESS has been changed since Vista. I don't know your OS. Secondly, The process and services run into different session since Vista too, so you can only create a Remote Thread into a process of your same session, in other words, if your loader is a process you can't create a remote thread into a services, only others processes. Maybe you can skip this limitation using rootkit technic but this is another history, I know that it is possible but I don't how to make it. Best Regards, GUAN
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now