process injection, maybe madshi can answer?
Posted on 2003-03-22
function InjectExe(Process: LongWord; EntryPoint: Pointer): BOOL;
Module, NewModule: Pointer;
Size, BytesWritten, TID: LongWord;
Result := False;
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
xVirtualFreeEx(Process, Module, 0, MEM_RELEASE);
NewModule := xVirtualAllocEx(Process, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(Process, NewModule, Module, Size, BytesWritten);
if xCreateRemoteThread(Process, nil, 0, EntryPoint, Module, 0, @TID) <> 0 then Result := True;
the idea is to take the current running PE image and copy it exactly into another process and create a thread for it. this works perfectly in NT/2K/XP using both native api AND elicz's RT which allows xCreateRemoteThread etc to work on 95/98/ME.
the result is the PE image running inside another process.
now assuming elicz's code works perfectly, what would be the reason this doesn't work on 95/98/ME. does it have something to do with the image base being so high? (my guess)
let me know what other info you need to understand this better. I don't mind raising the points if anyone can fix it but I really just want to know why it doesn't work.