CreateRemoteThread how to pass not ptr argument

**iceblockman** · 07-21-2014

I am trying to call remote process's function using CreateRemoteThread. But seems something wrong with the argument passing. Below is part code.

It does not crash and do print a random number but not what's expected. I tried modify PrintMsg(int i) to PrintMsg(int * i) { cout << *i << endl; } It worked.
It seems i can only pass pointer argument ? I also tried C string and it works. So my problem is How to pass int value as argument ?

program A:
=============================================

void PrintMsg(int i)
{
cout << i << endl;
}

int main()
{

while (true)
{
Sleep(2000);
}

}
==============================================

program B: // snip code
========================================

unsigned int ProcessID = GetPID("a.exe");
void* ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);

int parameter = 5;
void* AllocatedMemory = VirtualAllocEx(ProcessHandle, nullptr, sizeof(int), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

WriteProcessMemory(ProcessHandle, AllocatedMemory, &parameter, sizeof(int), nullptr);

DWORD base = GetBaseAddress(ProcessID);
DWORD functionptr = base + 0x1000; // function offset may diff for diff compiler
void* ThreadHandle = CreateRemoteThread(ProcessHandle, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(functionptr), AllocatedMemory, 0, nullptr);

**iceblockman** · 07-21-2014

here is the complete program b

Code:

#include <iostream>
#include <fstream>
#include <string>
#include <windows.h>
#include <Tlhelp32.h>
using namespace std;
#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Advapi32.lib")


void EnableDebugPrivilege()
{
	// Open the local process's privilege token
	void* Token = nullptr;
	TOKEN_PRIVILEGES Privileges;
	if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, reinterpret_cast<void**>(&Token)) == 0)
	{
		throw exception("Unable to open the local process token.");
	}
	
	// Set the value of SeDebugPrivilege to enabled
	Privileges.PrivilegeCount = 1;
	LookupPrivilegeValue(nullptr, "SeDebugPrivilege", &Privileges.Privileges[0].Luid);
	Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if(AdjustTokenPrivileges(Token, 0, &Privileges, sizeof(Privileges), nullptr, nullptr) == 0)
	{
		CloseHandle(Token);
		throw exception("Unable to enable the debug privilege.");
	}
	CloseHandle(Token);
}

DWORD GetPID(char* procName)
{
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;
	  
	// Take a snapshot of all processes in the system.
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if( hProcessSnap == INVALID_HANDLE_VALUE )	
		return 0;
	
	// Set the size of the structure before using it.
	pe32.dwSize = sizeof(PROCESSENTRY32);

	// Retrieve information about the first process,
	if(!Process32First(hProcessSnap, &pe32))
		return 0;
	
	do
	{
		if(strcmp(pe32.szExeFile, procName) == 0)
		{
			DWORD pid = pe32.th32ProcessID;
			CloseHandle(hProcessSnap);
			return pid;
		}
	} while(Process32Next(hProcessSnap, &pe32));

	CloseHandle(hProcessSnap);
	return 0;
}


DWORD GetBaseAddress(DWORD pid)
{
	HANDLE phandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
	MODULEENTRY32 module; 
	module.dwSize = sizeof(MODULEENTRY32);
	Module32First(phandle, &module);
	CloseHandle(phandle);
	return reinterpret_cast<unsigned int>(module.modBaseAddr);
}

void InjectModule()
{
	try
	{
		unsigned int ProcessID = GetPID("a.exe");

		// Get a handle to the process
		void* ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
		if(ProcessHandle == nullptr)
		{
			throw exception("Module injection failed: Unable to open a handle to the target process.");
		}

		int parameter = 5;
		
		void* AllocatedMemory = VirtualAllocEx(ProcessHandle, nullptr, sizeof(int), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
		
		if(AllocatedMemory == nullptr)
		{
			CloseHandle(ProcessHandle);
			throw exception("Module injection failed: Unable to allocate memory in the target process.");
		}

		WriteProcessMemory(ProcessHandle, AllocatedMemory, &parameter, sizeof(int), nullptr);
		
		DWORD base = GetBaseAddress(ProcessID);
		DWORD functionptr = base + 0x1000;               // function offset may diff for diff compiler
		
		void* ThreadHandle = 
		CreateRemoteThread(ProcessHandle, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(functionptr), AllocatedMemory, 0, nullptr);
		if(ThreadHandle == nullptr)
		{
			CloseHandle(ProcessHandle);
			throw exception("Module injection failed: Unable to create thread in the target process.");
		}
		
		PostQuitMessage(0);  
	}
	catch(exception Exception)
	{
		puts(Exception.what());
	}

	return;
}


int main ()
{

	EnableDebugPrivilege();		
	
	InjectModule();
	
	
	return 0;
}

Shout-Out

User Tag List

Thread: CreateRemoteThread how to pass not ptr argument

Thread Tools

Search Thread

CreateRemoteThread how to pass not ptr argument

Similar Threads

How do I NOT get queued for WG when botting?

How to pass level 49-52 in ~1h [Video]

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino