CreateRemoteThread Error

gothic_coder

Hello all, I'm injecting my DLL (Hooking) to explorer.exe using CreatRemoteThread, Now this works fine in windows XP but when i tried in Windows Server 2003, CreateRemoteThread fails with error code 5 (Access Denied), What permission do i need to set?

#include "windows.h"
#include "stdio.h"
#include <tlhelp32.h>
#include <shlwapi.h>

BOOL Inject_DLL(DWORD dwID)

{
HANDLE hToken = NULL;
HANDLE hProc = NULL;
HANDLE hThread = NULL;
BOOL bReturn = FALSE;
BOOL bLibLoaded = FALSE;
BOOL bWriteCheck = FALSE;
char szErrBuff[MAX_PATH] = "";
char szDllFolder[2 * MAX_PATH] = "";
char szDllPath[2 * MAX_PATH] = "C:\\DelDll\\DetourExample.dll";
//char szDllPath[2 * MAX_PATH] = "D:\\Working_Ashish\\DetourExample\\release\\DetourExample.dll";
void* pLibRemote = NULL;
HMODULE hKernel32 = NULL;
DWORD err = 0;
TCHAR szTemp[MAX_PATH] = "";
DWORD dwDesiredAccess;
TCHAR szError[MAX_PATH] = "";

//Access Identifiers to open the target process
dwDesiredAccess = PROCESS\_CREATE\_THREAD |
				  PROCESS\_QUERY\_INFORMATION |
				  PROCESS\_VM\_OPERATION|
				  PROCESS\_VM\_WRITE |
				  PROCESS\_VM\_READ;


//Opening the target process.
hProc = OpenProcess(dwDesiredAccess, FALSE, dwID);	
if(hProc == NULL || hProc == INVALID\_HANDLE\_VALUE)
{
	MessageBox(NULL, "Cannot Open Process", "Error", MB\_OK);
	printf("Cannot Open Process\\n");
	goto Cleanup;
}



hKernel32 = GetModuleHandle("Kernel32");
if(hKernel32 == INVALID\_HANDLE\_VALUE || hKernel32 == NULL)
{
	hKernel32 = LoadLibrary("Kernel32");
	if(hKernel32 == INVALID\_HANDLE\_VALUE || hKernel32 == NULL)
	{
		MessageBox(NULL, "Cannot Load Kernel", "Error", MB\_OK);
		printf("Cannot Load Kernel32");			
		goto Cleanup;
	}
	else
	{
		bLibLoaded = TRUE;
	}
}	

//Allocate memory for the DLL name in the remote target process.
pLibRemote = VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM\_COMMIT, PAGE\_READWRITE );
if(pLibRemote == NULL)
{
	MessageBox(NULL, "Virtual Alloc Failed", "Error", MB\_OK);
	printf("Virtual Alloc Failed\\n");
	goto Cleanup;
}


//Write the DLL name, including full path, to the allocated memory.
bWriteCheck = WriteProcessMemory(hProc, pLibRemote, (void\*)szDllPath, sizeof(szDllPath), NULL );	
if(bWriteCheck == 0)
{
	MessageBox(NULL, "WriteProcess Memory Failed", "Error", MB\_OK);
	printf("WriteProcessMemory Failes\\n");
	goto Cleanup;
}


//Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary..
hThread

_AnsHUMAN_

Use GetLastError[^] to determine the error code

I am a HUMAN. I have that keyword (??? too much) in my name........ ;-)_AnsHUMAN_b>

Cool_Dev

thats what gothic_coder already told:- CreateRemoteThread fails with error code 5 (Access Denied) :|

Lost User

I would expect that you need to request administrator privileges to run this under Vista and beyond. As a simple test right click your exe file and select "run as administrator" to see if it works. If so then add administrator privilege to your manifest.

It's time for a new signature.

elchupathingy

Some times you need to just have Debug Privileges to inject a DLL into another process when you get the "access denied". So, just grant yourself Debug Privileges. I have done this on vista 32bit with no problems. Problems come in with the same code in 64bit versions.

gothic_coder

Thanks all, Yes some other techie guys told me to raise the privileges, But doing that also won't make difference, Here's what i'm doing..

BOOL EnablePriv(LPCSTR lpszPriv)
{
BOOL bRet;
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkprivs;

ZeroMemory(&tkprivs, sizeof(tkprivs));

if(!OpenProcessToken(GetCurrentProcess(), (TOKEN\_ADJUST\_PRIVILEGES | TOKEN\_QUERY), &hToken))
	return FALSE;

if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){
	CloseHandle(hToken); return FALSE;
}

tkprivs.PrivilegeCount = 1;
tkprivs.Privileges\[0\].Luid = luid;
tkprivs.Privileges\[0\].Attributes = SE\_PRIVILEGE\_ENABLED;

bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
CloseHandle(hToken);
return bRet;

}