Dll injection. Execute CreateRemoteThread with parameter

3
votes

I wrote dll injection program that works just fine. It loads dll into remote process and calls some function. Now i want to pass argument to that function. CreateRemoteThread has lpParameter for that, but how to get that passed argument inside dll to use it in function?

Update: dll entry point is common:

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)

Dll contains only one function with following prototype:

void TestFunction(const char* ua);

Code that calls that function is:

CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((void*)codecaveExecAddr), (LPVOID)argumentAddress, 0, NULL);

As you can see i try to pass "test" string inside TestFunction. But then i check ua argument inside TestFunction it contains some trash.

Here are the whole project files:
http://pastebin.com/gh4SnhmV
http://pastebin.com/Sq7hpSVx
http://pastebin.com/dvgXpUYz

UPDATE 2
Should TestFunction have some specific propotype or i can use any as long as it has only one parameter of LPVOID type? I'm confused. Can anyone give me an example of how to call injected dll's function with some argument?

1
c++winapidllcode-injectioncreateremotethread
Cast it, dereference it, use it.Kerrek SB
@Kerrek SB sorry, i don't understand what you mean. cast what?clumpter
Sorry, I was being facetious. You asked a question with zero details or code and expected us to know what's in your mind, so I gave an answer in the same spirit. The real answer is, "post your code and be specific".Kerrek SB
@Kerrek SB i gave all details to answer my question. There is no need to post whole dll code here since algorithm of passing argument to dll with CreateRemoteThread and extracting it in dll stays the same. Your answer wasn't smart.clumpter

1 Answers

6
votes

You need to allocate the data inside the other process' memory. For that, use the VirtualAllocEx function which will return the address in the other process memory, that you pass to CreateRemoteThread.

CreateRemoteThread works exactly the same way as CreateThread, except that it creates the thread in the remote process. One thing to keep in mind is that when you are passing a pointer to an object in lpParameter the remote thread, which is running in a different virtual address space will try to access that address in that address space.