VMT 36 in ... AutoIt !

[Robske]

Greetings,


I've been trying to get the Interact function working in AutoIt but have some problems with calling CreateRemoteThread from kernel32.dll

Here's a paste (YaY to shynd for the original code) : AutoIt pastebin - collaborative debugging tool

The arguments of the function are as follows:

Code:

HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress,
  __in   LPVOID lpParameter,
  __in   DWORD dwCreationFlags,
  __out  LPDWORD lpThreadId
);

In AutoIt this would translate to:

DllCall("kernel32.dll", "int", "CreateRemoteThread", typeN, argN)

I'm unsure what to take as lpStartAddress and lpParameter

Any help / hints to website are appreciated,


And I know AutoIt sucks for memory-editing, thanks :[

[Nesox]

I dont think the charmander will like this thread
honestley i dun know how to do it in autoit u shoud do it in vb c# or c++ alot easier there

[Robske]

I dont think the charmander will like this thread
honestley i dun know how to do it in autoit u shoud do it in vb c# or c++ alot easier there

I know it's easier in those languages, but I'm not to familiar with any of those. I only have experience with Java :/

I'm reading up on them though, ordered a book "C++ for dummies" and following several guides on the internet.

Oh and

Charmander can't flame Spyro!1

[Nesox]

Charmander can't flame Spyro!1

u wish!
if ure into c#, learning c# 2005 is a pretty good book..

[Cypher]

For the love of all things good in this world, please don't do this. >.<

The last thing we need is encouraging people to use AutoIt.

[Robske]

For the love of all things good in this world, please don't do this. >.<

The last thing we need is encouraging people to use AutoIt.

Ok, AutoIt aside, I'm don't want to leave a job unfinished - the 2 arguments, lpStartAddress and lpParameter, what are they? I couldn't find an answer on MSDN :/

[barthen]

http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx

First search result in google

[Cypher]

http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx

First search result in google

10 bucks says he searched for the param name instead of API name.

[UnknOwned]

There is a certain challange and charm coding stuff in AutoIt, like making Visual Basic or Batch files.
Its a mess, but it works.

[Cypher]

There is a certain challange and charm coding stuff in AutoIt, like making Visual Basic or Batch files.
Its a mess, but it works.

Challenge, yes, and I'm all for that, but when theres a POINT to it. Its not challenging because you're doing something difficult, its challenging because the language is so ****ing restrictive.

Charm? Only if you find things like mangled corpses and herpes charming.

Yes it is a mess. Yes it does "work'. But just because something "works" doesn't mean it can't work BETTER.... and cleaner.... and easier.... and faster.... and so on and so forth.

[Shynd]

If you're familiar with Java, learn C#.

Edit: As an afterthought, this is how I used to inject a DLL via AutoIt. This is using the DllCall from AutoIt v3.2.2.0, so the syntax is probably different by now. LOOK HOW UGLY THIS IS

[Robske]

http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx

First search result in google

Where do you think I got the quoted code from? :/

HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);


Thanks shynd, will look into it

[Cypher]

Where do you think I got the quoted code from? :/

HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);


Thanks shynd, will look into it

Did you even read that page?

Parameters

hProcess [in]
A handle to the process in which the thread is to be created. The handle must have the PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ access rights. For more information, see Process Security and Access Rights.

lpThreadAttributes [in]
A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL, the thread gets a default security descriptor and the handle cannot be inherited. The access control lists (ACL) in the default security descriptor for a thread come from the primary token of the creator.

Windows XP/2000: The ACLs in the default security descriptor for a thread come from the primary or impersonation token of the creator. This behavior changed with Windows XP with SP2 and Windows Server 2003.
dwStackSize [in]
The initial size of the stack, in bytes. The system rounds this value to the nearest page. If this parameter is 0 (zero), the new thread uses the default size for the executable. For more information, see Thread Stack Size.

lpStartAddress [in]
A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.

lpParameter [in]
A pointer to a variable to be passed to the thread function.

dwCreationFlags [in]
The flags that control the creation of the thread.

Value Meaning
0
The thread runs immediately after creation.
CREATE_SUSPENDED
0x00000004
The thread is created in a suspended state, and does not run until the ResumeThread function is called.
STACK_SIZE_PARAM_IS_A_RESERVATION
0x00010000
The dwStackSize parameter specifies the initial reserve size of the stack. If this flag is not specified, dwStackSize specifies the commit size.
Windows 2000: The STACK_SIZE_PARAM_IS_A_RESERVATION flag is not supported.
lpThreadId [out]
A pointer to a variable that receives the thread identifier.

If this parameter is NULL, the thread identifier is not returned.