Trying to load an exe from memory not working on Windows 7 64bit
in [Win32 Kernel]
|
From: star-italia on 13 Nov 2009 03:14 I'm posting it here even if it is not a kernel question, because I didn't know where else to post. Hi everyone, I'm trying to start an exe from memory but at the moment I need this because for a customer we need to crypt the exe and then launch it without decrypting it to disk The technique I'm trying to use is to create a process in suspended mode and then change the image of the process with my exe and then resume the thread I'm stuck at the GetThreadContext function which give me a 87 error (The parameter is incorrect) Can anyone help me? Here is the code: STARTUPINFO si = {0}; PROCESS_INFORMATION pi; if(CreateProcess(L"calc.exe", NULL,NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi)) { CONTEXT ctx; ctx->ContextFlags=CONTEXT_FULL; GetThreadContext (pi->hThread, ctx); GetError ("GetThreadContext"); I've read on MSDN this: A 64-bit application can retrieve the context of a WOW64 thread using the Wow64GetThreadContext function. and WOW64: The handle must also have THREAD_QUERY_INFORMATION access. And I have two questions: 1) I am using Windows 7 Ultimate x64, but my project is compiled as Win32, and the exe I have to load is 32bit so: do i have to use GetThreadContext or Wow64GetThreadContext? 2) How do I create a security descriptor with THREAD_QUERY_INFORMATION? Or if you can point me to some working source code for x64 to study... Thanks in advance for your help
From: "Jialiang Ge [MSFT]" on 13 Nov 2009 05:18 Hello I performed a test using this code compiled in win32 on x64 Windows 7 RTM. STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi) ); if(CreateProcess(L"c:\\windows\\SysWOW64\\calc.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) // [ or ] // if(CreateProcess(L"c:\\windows\\system32\\calc.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, // NULL, NULL, &si, &pi)) { CONTEXT ctx; ctx.ContextFlags=CONTEXT_FULL; if (!GetThreadContext(pi.hThread, &ctx)) { DWORD err = GetLastError(); printf("%d", err); } } I do not get any errors. Could you please let me know your test result? Should I target the code to x64? Regards, Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights. =================================================
From: star-italia on 13 Nov 2009 08:34 Thank you, I wasn't doing ZeroMemory on si... but however the code doesn't work, and I don't know why, because unfortunately is not mine but is a cut and paste from http://www.security.org.sg/code/loadexe.html However thank for your help... Do you know if there is some other piece of source code to try? Thanks in advance Jialiang Ge [MSFT] wrote: > Hello > > I performed a test using this code compiled in win32 on x64 Windows 7 RTM. > > STARTUPINFO si; > PROCESS_INFORMATION pi; > ZeroMemory( &si, sizeof(si) ); > si.cb = sizeof(si); > ZeroMemory( &pi, sizeof(pi) ); > > if(CreateProcess(L"c:\\windows\\SysWOW64\\calc.exe", NULL, NULL, NULL, > FALSE, CREATE_SUSPENDED, > NULL, NULL, &si, &pi)) > // [ or ] > // if(CreateProcess(L"c:\\windows\\system32\\calc.exe", NULL, NULL, > NULL, FALSE, CREATE_SUSPENDED, > // NULL, NULL, &si, &pi)) > { > CONTEXT ctx; > ctx.ContextFlags=CONTEXT_FULL; > if (!GetThreadContext(pi.hThread, &ctx)) > { > DWORD err = GetLastError(); > printf("%d", err); > } > } > > I do not get any errors. Could you please let me know your test result? > Should I target the code to x64? > > > > Regards, > Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.') > Microsoft Online Community Support > > ================================================= > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > This posting is provided "AS IS" with no warranties, and confers no rights. > ================================================= >
From: "Jialiang Ge [MSFT]" on 17 Nov 2009 09:59 Hello Do you mean that the code in my last reply does not work on your side? What error do you see? Regards, Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.') Microsoft Online Community Support ================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights. =================================================
From: star-italia on 17 Nov 2009 10:13 No no, your code works, what doesn't work is the code after that :) However can you point me to some working code that I can study on how to launch an exe in memory using Win32 API? Thanks in advance Jialiang Ge [MSFT] wrote: > Hello > > Do you mean that the code in my last reply does not work on your side? What > error do you see? > > Regards, > Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.') > Microsoft Online Community Support > > ================================================= > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msdnmg(a)microsoft.com. > > This posting is provided "AS IS" with no warranties, and confers no rights. > ================================================= >
|
Pages: 1 Prev: How to inject a dll when a new process starts? Next: Undock computer |