Originally Posted by
bithub
You need to check the return values of all those API functions you are calling.
ok,code is this now,i print a message if an error value has been returned from API calls prior to CreateRemoteThread(),and i replaced sizeof(szLibPath) with strlen(szLibPath) + 1
but the problem persists,can you try it , please? perhaps it's a bug in kernel32.dll...i also had a buggy psapi.dll,it was the version included in WinXP installation,so kernel32 also could be buggy...
i think that if this program works on someone else' machine,the problem could be a bug in kernel32,so please someone try it
p.s. LoadLibrary is a valid pointer in the remote process,because kernel32.dll is loaded in all Win32 processes,on the same address,and so it is LoadLibraryA
Code:
const char szDLL[] = "somedll.dll";
void RemoteLoadDll(HANDLE,const char *);
int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){
RemoteLoadDll(GetCurrentProcess(),szDLL); // i also tried with handles to different processes
return 0;
}
void RemoteLoadDll(HANDLE hProcess,const char *szDll){
char szLibPath[_MAX_PATH];
void* pLibRemote; // The address (in the remote process) where
// szLibPath will be copied to;
DWORD hLibModule; // Base address of loaded module (==HMODULE);
HMODULE hKernel32 = ::GetModuleHandle("Kernel32");
// initialize szLibPath
strcpy(szLibPath,szDll);
// 1. Allocate memory in the remote process for szLibPath
// 2. Write szLibPath to the allocated memory
pLibRemote = ::VirtualAllocEx( hProcess, NULL, strlen(szLibPath) + 1,
MEM_COMMIT, PAGE_READWRITE );
if(!pLibRemote){
MessageBox(NULL,"pLibRemote=NULL","",MB_OK);
return ;
}
if(!::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
strlen(szLibPath) + 1, NULL )){
MessageBox(NULL,"WriteProcessMemory failed","",MB_OK);
return ;
}
MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK);
// Load DLL into the remote process
// (via CreateRemoteThread & LoadLibrary)
// THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY??
hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
"LoadLibraryA" ),
pLibRemote, 0, NULL );
MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK);
::WaitForSingleObject( hThread, INFINITE );
// Get handle of the loaded module
::GetExitCodeThread( hThread, &hLibModule );
// Clean up
::CloseHandle( hThread );
::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
}