garph0
December 13th, 2000, 05:27
Hi all 
I'm here again with a question about my code injector tool:
the 'static' version (which Creates the process suspended and works on it befor letting it run) works (almost) well, so i decided to move on a dynamic version, which should attach to running processes.
The steps are almost the same, i'll repeat here so you'll haven't to read from previous posts:
1) Retrieve Thread and process handles (well, actually i obtain it from CreateProcess, but i don't use the CREATE_SUSPENDED)
2) SuspendThread()
3) Prepare a Shared Memory Mapped File with my new code, a page of the code found at entry point, some code to put back the original code back, and the code for a second thread (more on this later)
4) GetThreadContext and save it in the MMF, say MMFContext
5) Overwrite the target program entry point with the code to map the MMF and jump to the Injected code start
6) Create a duplicate of the target process main thread handle and save it in MMFhThread in the MMF
7) Modify the Eip in the context to the target program entry point
8) Resume the thread
when resumed the target program will map the MMF, execute the some code, execute the code in MMF to restore program's EP, then Create a new thread and enter in an endless loop.
the new thread will use the MMFhThread to
1) Suspend the main thread
2) restore it context <-------------- ERROR
3) resume the main thread
on step 2), SetThreadContext return FALSE, and GetLastError() tells ERROR_NOACCESS, which is the mapping of STATUS_ACCESSVIOLATION.
the documentation says:
Windows NT/ 2000: The handle must have the THREAD_SET_CONTEXT access right to the thread. For more information, see Thread Security and Access Rights.
I've not tested it under win98 (i will ), but when duplicating the handle i have requested THREAD_ALL_ACCESS and the operation completed successfully, so it shouldn't be a problem of privileges...
i'm pretty confused, do you ppl have any idea ?
thanks
garph0
I'm here again with a question about my code injector tool:
the 'static' version (which Creates the process suspended and works on it befor letting it run) works (almost) well, so i decided to move on a dynamic version, which should attach to running processes.
The steps are almost the same, i'll repeat here so you'll haven't to read from previous posts:
1) Retrieve Thread and process handles (well, actually i obtain it from CreateProcess, but i don't use the CREATE_SUSPENDED)
2) SuspendThread()
3) Prepare a Shared Memory Mapped File with my new code, a page of the code found at entry point, some code to put back the original code back, and the code for a second thread (more on this later)
4) GetThreadContext and save it in the MMF, say MMFContext
5) Overwrite the target program entry point with the code to map the MMF and jump to the Injected code start
6) Create a duplicate of the target process main thread handle and save it in MMFhThread in the MMF
7) Modify the Eip in the context to the target program entry point
8) Resume the thread
when resumed the target program will map the MMF, execute the some code, execute the code in MMF to restore program's EP, then Create a new thread and enter in an endless loop.
the new thread will use the MMFhThread to
1) Suspend the main thread
2) restore it context <-------------- ERROR
3) resume the main thread
on step 2), SetThreadContext return FALSE, and GetLastError() tells ERROR_NOACCESS, which is the mapping of STATUS_ACCESSVIOLATION.
the documentation says:
Windows NT/ 2000: The handle must have the THREAD_SET_CONTEXT access right to the thread. For more information, see Thread Security and Access Rights.
I've not tested it under win98 (i will
), but when duplicating the handle i have requested THREAD_ALL_ACCESS and the operation completed successfully, so it shouldn't be a problem of privileges...i'm pretty confused, do you ppl have any idea ?
thanks
garph0
