I am trying to write a DLL injector to perform a DLL injector on a calculator process.
I wrote the DLL injector program in C and the DLL but the injector dosent inject the DLL or any other DLL (I tried to take some random windows DLL that the calculator doesn't use).
#include <stdio.h>
#include <Windows.h>
int main() {
LPCSTR dllpath = "C:\\Users\\......\\Dll1.dll";
printf("#### Starting ####\n");
printf("step 1: attaching the target process memory\n");
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
6456 // target process id
);
if (hProcess != NULL) {
printf("step 2: allocate the target memory process\n");
LPVOID dllPathMemoryAddr = VirtualAllocEx(
hProcess,
NULL,
strlen(dllpath),
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
if (dllPathMemoryAddr != NULL) {
printf("step 3: write to the process memory\n");
BOOL succeededWriting = WriteProcessMemory(
hProcess,
dllPathMemoryAddr,
dllpath,
strlen(dllpath),
NULL
);
if (succeededWriting) {
printf("step 4: execute.\n");
FARPROC loadLibAddr = GetProcAddress(
GetModuleHandle(TEXT("kernel32.dll")),
"LoadLibraryA"
);
HANDLE rThread = CreateRemoteThread(
hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)loadLibAddr,
dllPathMemoryAddr,
0,
NULL
);
}
}
CloseHandle(hProcess);
}
return TRUE;
}
after running the injector I get this output:
#### Starting ####
step 1: attaching the target process memory
step 2: allocate the target memory process
step 3: write to the process memory
step 4: execute.
after that, I am still unable to see in process explorer the new DLL.
You are calling GetProcAddress() to get the address of LoadLibraryA(), this is returning the address of LoadLibraryA in your local process not the injected one. This is not guaranteed to be correct in the external process. You do not need to get the address manually, CreateRemoteThread will resolve the address for you.
Here is a very simple injector example that will explain how to do it
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
DWORD GetPid(char * targetProcess)
{
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snap && snap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
if (Process32First(snap, &pe))
{
do
{
if (!_stricmp(pe.szExeFile, targetProcess))
{
CloseHandle(snap);
return pe.th32ProcessID;
}
} while (Process32Next(snap, &pe));
}
}
return 0;
}
int main()
{
char * dllpath = "C:\\Users\\me\\Desktop\\dll.dll";
char * processToInject = "csgo.exe";
long pid = 0;
while (!pid)
{
pid = GetPid(processToInject);
Sleep(10);
}
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if (hProc && hProc != INVALID_HANDLE_VALUE)
{
void * loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProc, loc, dllpath, strlen(dllpath) + 1, 0);
HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
CloseHandle(hThread);
}
CloseHandle(hProc);
return 0;
}
I found the problem. I compiled the DLL as 64 but accidentally compiled the DLL injector has complied as 32 bit.
Related
I use this function as usual, but the debug traces (OutputDebugString) don't work from injecting dlls. And in the target application no thread is created (I look through the process hacker)
GetlastError says 0
CreateRemoteThread says tid
but WaitForSingleObject exits immediately (why if all ok!?)
... I'm confused %
OS windows 10 x64
app and dll - x86
code dll is:
#include <stdio.h>
#include <windows.h>
WINAPI DllMain(HINSTANCE h, DWORD reason, LPVOID res)
{
CHAR pszMessage[1024] = { 0 };
sprintf(pszMessage, ("L2Proj: GetCurrentProcessId() %d, hModule 0x%p, nReason %d\r\n"), GetCurrentProcessId(), h, reason);
OutputDebugString(pszMessage);
switch(reason) {
case DLL_PROCESS_ATTACH:
//MessageBoxA(NULL, "inject success", "done", MB_OK);
TerminateProcess(GetCurrentProcess(), -1);
break;
}
return TRUE;
}
PS TerminateProcess in dll doesn't work either
PPS GetExitCodeThread() after WaitForSingleObject ends is 0
What it the problem with?
ADDED
APP code is:
NOTE: This is just test code (no control over return values / wrong label name codestyle etc.), pls do not tell me about it.
I wrote step by step in the comments which functions return which values
// process of course has access
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
// handle is valid
if(!hProcess) {
return GetLastError();
}
DWORD id;
char str[] = "G:\\workspace\\proj\\test.dll";
void *l = (void*)GetProcAddress(
GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// addr is valid
if(!l) {
return 35;
}
DWORD str_size = strlen(str) + 1;
// memory addr is valid
LPVOID lp = VirtualAllocEx(hProcess, NULL, str_size, MEM_COMMIT |
MEM_RESERVE, PAGE_READWRITE);
BOOL res = WriteProcessMemory(hProcess, lp, str, str_size, NULL);
// res is true
HANDLE h = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)l,
lp,
0,
&id);
// handle is valid
// id is valid (tid remote thread)
if(!h) {
return GetLastError();
}
DWORD err = GetLastError();
CHAR pszMessage[1024] = { 0 };
sprintf(pszMessage, ("L2Proj: GetProcessId() %d\r\n"), id);
OutputDebugString(pszMessage);
// ends immediately (no waiting)
WaitForSingleObject(h, INFINITE);
GetExitCodeThread(h, &id);
//id is 0 (exit code)
sprintf(pszMessage, ("L2Proj: GetExitCodeThread() %d (GetLastError=%d)\r\n"), id, err);
OutputDebugString(pszMessage);
// the only error after this function (VirtualFreeEx)
// GetLastError gives 87 (0x57) - ERROR_INVALID_PARAMETER
VirtualFreeEx(hProcess, lp, 0, MEM_RELEASE);
CloseHandle(h);
CloseHandle(hProcess);
I forgot, i use g++ (GCC) 9.3.0 - maybe the problem is because of this?
I solved the problem, just change the compiler.
Yes, the problem was with the compiler, everything works fine on the Microsoft compiler.
Thanks for answers.
problem in you not use debugger – RbMm yesterday
and yes, I always use the debugger, thanks a lot ...
I stumbled upon a tutorial about dll injection in c. When I run my code, it gives me a Debug Assertion Failed error when I use the CreateRemoteThread() function in my code.
I use Visual Studio Express 2015 on Windows 10
The Error:
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
char* buffer = "C:\\inject2.dll";
//Get the process handle passing in the process ID
int procID = 9872;
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (process == NULL) {
printf("Error: the specified process couldn't be found\n");
}
//Get the address of the LoadLibrary function
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if (addr == NULL) {
printf("Error: the LoadLibraryA function was not found inside kernel32.dll library.\n");
}
//Allocate new memory region inside the process's address space
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (arg == NULL)
{
printf("Error: the memory could not be allocated inside the chosen process.\n");
}
//Write the argument to LoadLibraryA to the process's newly allocated memory region
int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
if (n == 0) {
printf("Error: there were not bytes written to the process's address space.\n");
}
//Inject our DLL into the process's address space
HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
if (threadID == NULL)
{
printf("Error: the remote thread could not be created.\n");
}
else
{
printf("Success: the remote thread was succesfully created.\n");
}
//Close the handle to the process because we have already injected the DLL
CloseHandle(process);
getchar();
return 0;
}
If you're using the DLL from the link you supplied, it's probably failing because it's attempting to write to the root of the system drive ("C:\\temp.txt",). Change this path to something your target process can write to.
Can someone provide me with a sample C code that list´s all device Names that i can open with Createfile()? i always get error code 3 : path does not exist
sample code that doesnt works:
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <windows.h>
#include <regstr.h>
#include <devioctl.h>
#include <usb.h>
#include <usbiodef.h>
#include <usbioctl.h>
#include <usbprint.h>
#include <setupapi.h>
#include <devguid.h>
#include <wdmguid.h>
#pragma comment(lib, "Setupapi.lib")
int main(void){
HDEVINFO deviceInfoList;
deviceInfoList = SetupDiGetClassDevs(NULL, NULL, NULL, DIGCF_ALLCLASSES | DIGCF_PRESENT);
if (deviceInfoList != INVALID_HANDLE_VALUE)
{
SP_DEVINFO_DATA deviceInfoData;
deviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
for (DWORD i = 0; SetupDiEnumDeviceInfo(deviceInfoList, i, &deviceInfoData); i++)
{
LPTSTR buffer = NULL;
DWORD buffersize = 0;
while (!SetupDiGetDeviceInstanceIdA(deviceInfoList, &deviceInfoData, buffer, buffersize, &buffersize))
{
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
if (buffer) delete buffer;
buffer = new TCHAR[buffersize];
}
else
{
printf("%ls\n", "error");
break;
}
}
HANDLE hFile = CreateFileA(buffer,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("InvalidHandle, error code: %d\n", GetLastError());
}
CloseHandle(hFile);
printf("%s\n", buffer);
if (buffer) { delete buffer; buffer = NULL; }
}
}
getchar();
}
my Goal is to print all valid device Names and try to get a valid handle on it that i can later user for sending ioctl`s
thx
EDIT:
ok abhineet so thats what i got now :
DWORD EnumerateDevices(){
DWORD dwResult = 0;
HDEVINFO hdev = SetupDiGetClassDevs(&GUID_DEVCLASS_BATTERY, 0, 0, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);// DIGCF_ALLCLASSES
/*HDEVINFO hdev =SetupDiGetClassDevs(NULL,
0, // Enumerator
0,
DIGCF_PRESENT | DIGCF_ALLCLASSES); */
if (INVALID_HANDLE_VALUE != hdev) {
for (int idev = 0; idev < 100; idev++)
{
SP_DEVICE_INTERFACE_DATA did = { 0 };
did.cbSize = sizeof(did);
if (SetupDiEnumDeviceInterfaces(hdev, NULL, &GUID_DEVCLASS_BATTERY, idev, &did))
{
DWORD cbRequired = 0;
SetupDiGetDeviceInterfaceDetail(hdev,
&did,
NULL,
0,
&cbRequired,
0);
if (ERROR_INSUFFICIENT_BUFFER == GetLastError())
{
PSP_DEVICE_INTERFACE_DETAIL_DATA pdidd = (PSP_DEVICE_INTERFACE_DETAIL_DATA)LocalAlloc(LPTR, cbRequired);
if (pdidd) {
pdidd->cbSize = sizeof(*pdidd);
if (SetupDiGetDeviceInterfaceDetail(hdev, &did, pdidd, cbRequired, &cbRequired, 0)) {
wprintf(L"%s\n", pdidd->DevicePath);
HANDLE hBattery = CreateFile(pdidd->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (INVALID_HANDLE_VALUE != hBattery)
{
printf("Successfully opened Handle\n");
CloseHandle(hBattery);
}
else{
wprintf(L"CreateFile(%s) failed %d\n", pdidd->DevicePath, GetLastError());
}
}
else{
printf("SetupDiGetDeviceInterfaceDetail() failed %d\n", GetLastError());
}
LocalFree(pdidd);
}
}
else{
printf("SetupDiGetDeviceInterfaceDetail() failed %d\n", GetLastError());
}
}
else if (ERROR_NO_MORE_ITEMS == GetLastError())
{
printf("-NoMoreItems-");
break; // Enumeration failed - perhaps we're out of items
}
}
SetupDiDestroyDeviceInfoList(hdev);
}
else{
printf("SetupDiGetClassDevs() failed %d\n", GetLastError());
}
return dwResult;
}
i ripped the most from here : https://msdn.microsoft.com/en-us/library/windows/desktop/bb204769(v=vs.85).aspx
and my Output is :
\\?\acpi#pnp0c0a#1#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}
Successfully opened Handle
-NoMoreItems-
at least i got a valid handle!
so i wanna do this an all devices avaible on the System , how to do that?
IMHO, I don't think, you can do a CreateFile on InstanceID. To do a CreateFile, you need the symbolic name of the device. You can use the following SetupAPIs,
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetail
The Remark section of both APIs state that,
SetupDiEnumDeviceInterfaces:: DeviceInterfaceData points to a structure that identifies a requested
device interface. To get detailed information about an interface, call
SetupDiGetDeviceInterfaceDetail. The detailed information includes the
name of the device interface that can be passed to a Win32 function
such as CreateFile (described in Microsoft Windows SDK documentation)
to get a handle to the interface.
SetupDiGetDeviceInterfaceDetail:: The interface detail returned by this function consists of a device path that can be passed to Win32
functions such as CreateFile. Do not attempt to parse the device path
symbolic name. The device path can be reused across system starts.
This might be of your use, how to get DevicePath from DeviceID
I'm dealing with 2 new things: writing a DLL and injecting it in another process. I think I inject it successfully because if I try to delete it I get a message that tells me it is used by another program.
I followed this steps in Visual Studio 2008 http://msdn.microsoft.com/en-us/library/ms235636%28v=vs.80%29.aspx but I wrote it in C, not C++.
And this is the code
DWORD
APIENTRY
DllMain(
HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
printf("Hello World\n");
Sleep(5000); // added this to make sure I see it when it happens
return TRUE;
}
I created an application that references the DLL just like in the MSDN documentation said and it works (it prints Hello World).
At each step in my DLL injection program I check for errors and print them. So I know that no function fails.
I check the exit code and it is 1927086080 which I don't know what means.
I don't know if it's needed, but here is the C source for my program.
#include <stdio.h>
#include <windows.h>
#include <string.h>
int main(int argc, TCHAR* argv[])
{
DWORD procId = 0;
DWORD pathLen = 0;
DWORD writeProcMemory = 0;
DWORD exitCode = 0;
HANDLE hProc = NULL;
HANDLE hDll = NULL;
HANDLE hThread = NULL;
LPVOID baseAdr = NULL;
LPVOID fAdr = NULL;
procId = atoi((char*)argv[1]);
pathLen = strlen((LPCSTR)argv[2]);
if(0 == pathLen)
{
printf("Check DLL path\n");
return 0;
}
// Open process
hProc = OpenProcess(PROCESS_ALL_ACCESS,
0,
procId);
if(NULL == hProc)
{
printf("OpenProcess failed\nGetLastError() = %d\n",
GetLastError());
return 0;
}
// Allocate memory
baseAdr = VirtualAllocEx(hProc,
0,
pathLen + 1,
MEM_COMMIT,
PAGE_READWRITE);
if(NULL == baseAdr)
{
printf("VirtualAllocEx failed\nGetLastError() = %d\n",
GetLastError());
CloseHandle(hProc);
return 0;
}
// write my dll path in the memory I just allocated
if(!WriteProcessMemory(hProc,
baseAdr,
argv[2],
pathLen + 1,
0))
{
printf("WriteProcessMemory failed\nGetLastError() = %d\n",
GetLastError());
VirtualFreeEx(hProc,
baseAdr,
0,
MEM_RELEASE);
CloseHandle(hProc);
return 0;
}
// get kernel32.dll
hDll = LoadLibrary(TEXT("kernel32.dll"));
if(NULL == hDll)
{
printf("LoadLibrary failed\nGetLastError() = %d\n",
GetLastError());
VirtualFreeEx(hProc,
baseAdr,
0,
MEM_RELEASE);
CloseHandle(hProc);
return 0;
}
// get LoadLibraryA entry point
fAdr = GetProcAddress(hDll,
"LoadLibraryA");
if(NULL == fAdr)
{
printf("GetProcAddress failed\nGetLastError() = %d\n",
GetLastError());
FreeLibrary(hDll);
VirtualFreeEx(hProc,
baseAdr,
0,
MEM_RELEASE);
CloseHandle(hProc);
return 0;
}
// create remote thread
hThread = CreateRemoteThread(hProc,
0,
0,
fAdr,
baseAdr,
0,
0);
if(NULL == hThread)
{
printf("CreateRemoteThread failed\nGetLastError() = %d\n",
GetLastError());
FreeLibrary(hDll);
VirtualFreeEx(hProc,
baseAdr,
0,
MEM_RELEASE);
CloseHandle(hProc);
return 0;
}
WaitForSingleObject(hThread,
INFINITE);
if(GetExitCodeThread(hThread,
&exitCode))
{
printf("exit code = %d\n",
exitCode);
}
else
{
printf("GetExitCode failed\nGetLastError() = %d\n",
GetLastError());
}
CloseHandle(hThread);
FreeLibrary(hDll);
VirtualFreeEx(hProc,
baseAdr,
0,
MEM_RELEASE);
CloseHandle(hProc);
return 0;
}
Now, when I inject a shellcode (with a slightly different program than the one above) into a process, I can see in process explorer how my shell code starts running and that the victim process is his parent. Here, I see nothing, but again, it's the first time I'm working with DLLs.
But it still gets loaded because I can't delete the dll file until I kill the victim process.
Also, when I run my injection program, I can see it doing nothing for 5 seconds so it's like the printf is skipped.
Doing this on Windows 7 x64. I know that there are cases in which CreateRemoteThread isn't working on Windows 7, but I use it in my shell code injection and it works and I use the same targets here.
UPDATE: changing my DLL to call ExitProcess(0); kills the victim process, so it all comes down to me not knowing how to print something.
How can I get it to print something?
You want to get messages from your DLL but you use printf. How can you see DLL's printf output? You better write your information to a file.
#define LOG_FILE L"C:\\MyLogFile.txt"
void WriteLog(char* text)
{
HANDLE hfile = CreateFileW(LOG_FILE, GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD written;
WriteFile(hfile, text, strlen(text), &written, NULL);
WriteFile(hfile, "\r\n", 2, &written, NULL);
CloseHandle(hfile);
}
void WriteLog(wchar_t* text)
{
HANDLE hfile = CreateFileW(LOG_FILE, GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD written;
WriteFile(hfile, text, wcslen(text) * 2, &written, NULL);
WriteFile(hfile, L"\r\n", 4, &written, NULL);
CloseHandle(hfile);
}
Replace all your printf calls with my function and see what happens actually. By the way, if you have thread in your DLL you can write log every second that will ensure you your code works. You can add time into log file too.
I think if you have enough privilege to inject a DLL into a process, nothing will stop you. Change your code and tell me what happens in log file.
Good luck
this is my first semi-major C project. I'm a self taught programmer so if my code has any major flaws OR if you happen to have any tips for me, please point them out, I'm very eager to learn. Thank you.
Anyway, I decided to code a process injector for windows, as title says, and I every time I attempt to inject the windows XP SP2 calc into designated process, it crashes. The reason I had decided to make it XP based was because this is a test version/POC/whatever.
Is this because the shellcode is only applicable for specific processes?
I had attempted different processes, explorer.exe, firefox.exe, etc. Still crashes.
Oh, and FYI my ASM isn't the best so I borrowed some shellcode from shell-storm
Also, how does the code look? I had some problems understanding the MSDN API for some of the psapi / windows parameters. It seemed kind of vague, and it was kind of hard to find examples online for some of my questions.
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
#define BYTESIZE 100
void ProcessIdentf(DWORD ProcessID);
//Required for Process Handling rights
int SeDebugMode(HANDLE ProcessEnabled, LPCTSTR Base_Name);
int main(void){
//x86 | Windows XP SP2 | calc.exe call
//POC data
unsigned char call_calc[] =
"\x31\xc0\xeb\x13\x5b\x88\x43\x0e\x53\xbb\xad\x23\x86\x7c\xff\xd3\xbb"
"\xfa\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78"
"\x65\x20\x2f\x63\x20\x63\x6d\x64";
//Process HANDLE && Process Identifier WORD
HANDLE FfHandle;
int ProcID;
//VirtualAllocMemPnter
LPVOID lpv = NULL;
//Typecasted pointer to Shellcode
char* shellptr = call_calc;
//Handle for CreateRemoteThread function
HANDLE ControlStructRemote;
//Number of bytes successfully executed
SIZE_T bytescom;
//Data for Process enumeration
DWORD xyProcesses[1024]; //Max_Proc
DWORD abProcesses, cntbNeeded;
unsigned int c;
printf("POC version x00.\nInjects example x86 shellcode into process.\n");
SeDebugMode(GetCurrentProcess(), SE_DEBUG_NAME);
printf("SE_DEBUG_PRIVILEGE successfully enabled.\nPrinting process' eligable for injection\n");
Sleep(10000);
if(!EnumProcesses(xyProcesses, sizeof(xyProcesses), &cntbNeeded)){
exit(1);
}
abProcesses = cntbNeeded / sizeof(DWORD);
//Enumerate processes owned by current user
for(c = 0; c < abProcesses; c++){
if(xyProcesses[c] != 0){
ProcessIdentf(xyProcesses[c]);
}
}
printf("Process PID required\n");
scanf("%d", &ProcID);
FfHandle = OpenProcess(PROCESS_ALL_ACCESS,
FALSE,
ProcID);
lpv = VirtualAllocEx(FfHandle,
NULL,
BYTESIZE,
MEM_COMMIT,
0x40); //PAGE_EXECUTE_READWRITE
if(WriteProcessMemory(FfHandle, lpv, &shellptr, sizeof(shellptr), &bytescom) != 0){
ControlStructRemote = CreateRemoteThread(FfHandle,
0,
0,
(DWORD (__stdcall*) (void*)) shellptr,
0,
0,
0);
if(ControlStructRemote){
printf("POC shellcode successful.\n");
}
else{
printf("Failure, CreateRemoteThread could not spawn a remote thread or failed to exec in target process\n");
}
}
return 0;
}
void ProcessIdentf(DWORD ProcID){
//Enumerates PID and modules. Prints. Implement in loop
//unicode char, max ntfs datafile
TCHAR szProcessname[MAX_PATH] = TEXT("<unknown>");
//open proc handle
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,
FALSE, ProcID);
//enum modules
if(NULL != hProcess){
HMODULE hMod;
DWORD cbNeed;
if(EnumProcessModules(hProcess,&hMod, sizeof(hMod),&cbNeed))
{
GetModuleBaseName(hProcess, hMod, szProcessname,
sizeof(szProcessname)/sizeof(TCHAR));
}
}
//print PID
printf("%s PID: %u\n", szProcessname, ProcID);
//close processhandle
CloseHandle(hProcess);
}
int SeDebugMode(HANDLE xyProcess, LPCTSTR DebugPriv){
HANDLE hTokenProc;
LUID xDebugVal;
TOKEN_PRIVILEGES tPriv;
if(OpenProcessToken(xyProcess,
TOKEN_ADJUST_PRIVILEGES,
&hTokenProc)){
if(LookupPrivilegeValue(NULL, DebugPriv, &xDebugVal)){
tPriv.PrivilegeCount = 1;
tPriv.Privileges[0].Luid = xDebugVal;
tPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hTokenProc,
FALSE,
&tPriv,
sizeof(TOKEN_PRIVILEGES),
NULL,
NULL
);
if(GetLastError() == ERROR_SUCCESS){
return TRUE;
}
}
}
return FALSE;
}
You create the remote thread at shellptr, but it should be lpv where you wrote the code to.
BTW, try to avoid PROCESS_ALL_ACCESS, only specify what exact access you need (it's all on MSDN for each API)