I use Borland C++ Builder 6.0
I got problem when try inject my code to process, the process will crash
Here is my code:
Code:
static DWORD WINAPI Run(LPCVOID lpParam)
{
DWORD *Param = (DWORD*) lpParam;
DWORD x = *Param;
DWORD y = *(Param+1);
DWORD z = *(Param+2);
DWORD fly = 0;
__try
{
_asm
{ pushad;
mov edx, 009271B4h;
mov ecx, dword ptr[edx];
mov edx, dword ptr[ecx+1Ch];
mov esi, dword ptr[edx+20h];
mov ecx, dword ptr[esi+0BC8h];
mov eax,dword ptr [esi+0x5E8];
cmp eax,2;
jnz next;
mov fly,1;
next:
push 1;
mov edx,45DC10h;
call edx;
mov edi, eax;
push Param;
push fly;
mov ecx,edi;
mov edx, 461660h;
call edx;
push 0;
push 1;
push edi;
push 1;
mov ecx, dword ptr[esi+0BC8h];
mov edx, 45E010h;
call edx;
popad;
}
}
__except(1)
{
}
return 0;
}
And I call it like this:
Code:
//Remote Thread Handle
HANDLE hProcess=NULL;
//Inject Thread handle
HANDLE hThread=NULL;
//Inject Fuction Address after allocate
LPVOID ThreadCodeAddr=NULL;
//Inject Function
LPVOID Func=Run;
//Inject Fuction Stack Address after allocate
LPVOID ThreadDataAddr=NULL;
//Inject Fuction Stack Data
LPCVOID lpParam;
DWORD Value = 0;
//lpParam = &Value;
float Param[3];
lpParam = &Param[0];
windowHandle = FindWindow(0,strBuff.c_str() );
DWORD PIDB;
::GetWindowThreadProcessId(windowHandle,&PIDB);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,PIDB);
if (!hProcess)
{
//Error(_T("OpenProcess"));
return;
}
//------------------
Param[0] = 1;
Param[1] = 2;
Param[2] = 3;
//------------------
ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory (hProcess, ThreadCodeAddr, Func, 4096, NULL);
WriteProcessMemory (hProcess, ThreadDataAddr, lpParam, 256, NULL);
hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
if (!hThread)
{
//Error(_T("CreateRemoteThread"));
return;
}
else
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(hProcess, ThreadCodeAddr, 4096, MEM_RELEASE);
VirtualFreeEx(hProcess, ThreadDataAddr, 256, MEM_RELEASE);
CloseHandle(hProcess);
I have set SetPrivilege before:
Code:
BOOL TForm1::SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
#ifdef WLOG
Log(true,_T("LookupPrivilegeValue"));
#endif
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
#ifdef WLOG
Log(true,_T("AdjustTokenPrivileges\n"));
#endif
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
#ifdef WLOG
Log(true,_T("The token does not have the specified privilege."));
#endif
return FALSE;
}
return TRUE;
}
Finally i combine it by release mode
Can someone help me?
Thank you