why my main process exit with erro

Question

0.00/5 (No votes)

See more:

When the program has finished，the injected process exits with an error. I don't know what's wrong with the problem. Can somebody help me?

#include <windows.h>
#include <tlhelp32.h>
#include <iostream.h>

typedef struct _RemoteParam 
{
	char szMsg[12];        
	DWORD dwMessageBox;
} RemoteParam, * PRemoteParam;

typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);

static DWORD WINAPI threadProc(LPVOID lParam)
{
	RemoteParam* pRP = (RemoteParam*)lParam;
	PFN_MESSAGEBOX pfnMessageBox;
	pfnMessageBox = (PFN_MESSAGEBOX)pRP-&gt;dwMessageBox;
	pfnMessageBox(NULL, pRP-&gt;szMsg, pRP-&gt;szMsg, 0);
	ExitThread(0);
	return 0;
}
static void afterthread(void)
{       
}
bool enableDebugPriv()
{
    HANDLE hToken;
    LUID sedebugnameValue;
    TOKEN_PRIVILEGES tkp;
  
    if (!OpenProcessToken(GetCurrentProcess(), 
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &amp;hToken)) {
        return false;
    }
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &amp;sedebugnameValue)) {
        CloseHandle(hToken);
        return false;
    }
    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = sedebugnameValue;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if (!AdjustTokenPrivileges(hToken, FALSE, &amp;tkp, sizeof(tkp), NULL, NULL)) {
        CloseHandle(hToken);
        return false;
    }
    return true;
}
DWORD processNameToId(LPCTSTR lpszProcessName)
{
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	PROCESSENTRY32 pe;
	pe.dwSize = sizeof(PROCESSENTRY32);
	if (!Process32First(hSnapshot, &amp;pe)) {
		MessageBox(NULL, 
			"The frist entry of the process list has not been copyied to the buffer", 
			"Notice", MB_ICONINFORMATION | MB_OK);
		return 0;
	}
	while (Process32Next(hSnapshot, &amp;pe)) {
		if (!_stricmp(lpszProcessName, pe.szExeFile)) {
			return pe.th32ProcessID;
		}
	}
	return 0;
}
void main(int argc, char* argv[])
{
	const DWORD dwThreadSize = (LPBYTE)(afterthread)-(LPBYTE)(threadProc);
	DWORD dwWriteBytes;
	void* pRemoteThread;
	RemoteParam* pRemoteParam;
	HANDLE hRemoteThread;
	HANDLE hTargetProcess;
	enableDebugPriv();
	std::cout &lt;&lt; "Please input the name of target process !" &lt;&lt; std::endl;
	char szExeName[MAX_PATH] = { 0 };
	std::cin &gt;&gt; szExeName;
	DWORD dwProcessId = processNameToId(szExeName);
	if (dwProcessId == 0) {
		MessageBox(NULL, "The target process have not been found !",
			"Notice", MB_ICONINFORMATION | MB_OK);
		return ;
	}
	__try{
		hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
		if (!hTargetProcess) {
			MessageBox(NULL, "Open target process failed !", 
				"Notice", MB_ICONINFORMATION | MB_OK);
			return ;
		}
		pRemoteThread = VirtualAllocEx(hTargetProcess, 0, 
			dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
		if (!pRemoteThread) {
			MessageBox(NULL, "Alloc memory in target process failed !", 
				"notice", MB_ICONINFORMATION | MB_OK);
			return ;
		}
		if (!WriteProcessMemory(hTargetProcess, 
			pRemoteThread, &amp;threadProc, dwThreadSize, 0)) {
				MessageBox(NULL, "Write data to target process failed !", 
					"Notice", MB_ICONINFORMATION | MB_OK);
				return ;
		}
		RemoteParam remoteData;
		ZeroMemory(&amp;remoteData, sizeof(RemoteParam));
		HINSTANCE hUser32 = LoadLibrary("User32.dll");
		remoteData.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
		strcpy(remoteData.szMsg, "Hello\0");
		pRemoteParam = (RemoteParam*)VirtualAllocEx(
			hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
		if (!pRemoteParam) {
			MessageBox(NULL, "Alloc memory failed !", 
				"Notice", MB_ICONINFORMATION | MB_OK);
			return ;
		}
		if (!WriteProcessMemory(hTargetProcess ,
			pRemoteParam, &amp;remoteData, sizeof(remoteData), 0)) {
				MessageBox(NULL, "Write data to target process failed !", 
					"Notice", MB_ICONINFORMATION | MB_OK);
				return ;
		}
		hRemoteThread = CreateRemoteThread(
			hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread, 
			pRemoteParam, 0, &amp;dwWriteBytes);
		if (!hRemoteThread) {
			MessageBox(NULL, "Create remote thread failed !", "Notice",  MB_ICONINFORMATION | MB_OK);
			return ;
		}
		WaitForSingleObject(hRemoteThread,INFINITE);
	}
	__finally
	{
		VirtualFreeEx(hTargetProcess,pRemoteThread,0,MEM_RELEASE);
		VirtualFreeEx(hTargetProcess,pRemoteParam,0,MEM_RELEASE);
		CloseHandle(hRemoteThread);
	}
	return ;
}
</iostream.h></tlhelp32.h></windows.h>

Posted 21-Dec-10 17:27pm

caddor

Updated 21-Dec-10 18:37pm

ShilpiP

v3

Add a Solution

Comments

JF2015 22-Dec-10 0:02am

Edited to improve code formatting.

Dave Kreskowiak 22-Dec-10 0:29am

You left out the most important piece of information. What's the error and on what line does it throw?

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Igor Kushnarev · Answer 1 · 2010-12-21T20:40:00

Solution 1

Because of "ExitThread" call. You should send an address of this func to the ThreadProc and call it by address. Otherwise your injected process crashes.

Posted 21-Dec-10 20:40pm

Igor Kushnarev

Comments

caddor 22-Dec-10 9:40am

but when i throw away the "ExitThread",it also crashes;

Igor Kushnarev 23-Dec-10 0:44am

return 0; where do you return? you should call ExitThread

mbue · Answer 2 · 2010-12-29T12:57:00

Solution 2

you cannot make a call to the MessageBox function mapped into YOUR adress space from another process. YOU have loaded the user32.dll in YOUR adress space. the thread has to load it by himself. but this wouldnt work because the LoadLibrary function is mapped in YOUR adress space too.

Posted 29-Dec-10 12:57pm

mbue