将LPVOID强制转换为struct

Question

I want to read the arguments I have send through CreateRemoteThread to my injected DLL inside another process.

I can call the function without problem, I just don't know how to cast LPVOID to a struct.

This is a example:

#pragma pack(push,1)
struct tagRemoteThreadParams
{
    int Param1;
    int Param2;
} RemoteThreadParams, *PRemoteThreadParams;
#pragma pack(pop)

DWORD WINAPI testfunction(LPVOID param)
{
    // cast LPVOID to tagRemoteThreadParams (param)
    WriteToLog("YES YOU CALLED THE FUNCTION WITH PARAM: ");
    return 0;
}

This is my struct and how I have allocated the mem inside the process:

[StructLayout(LayoutKind.Sequential, Pack=1)]
public struct RemoteThreadParams
{
    [MarshalAs(UnmanagedType.I4)]
    public int Param1;

    [MarshalAs(UnmanagedType.I4)]
    public int Param2;
}

public uint CallFunction(int _arg1)
{
    RemoteThreadParams arguments = new RemoteThreadParams();
    arguments.Param1 = 1;
    arguments.Param2 = 2;

    //pointer to the function im trying to call
    IntPtr _functionPtr = IntPtr.Add(this.modulePtr, 69772);

    // Allocate some native heap memory in your process big enough to store the
    // parameter data
    IntPtr iptrtoparams = Marshal.AllocHGlobal(Marshal.SizeOf(arguments));

    // Copies the data in your structure into the native heap memory just allocated
    Marshal.StructureToPtr(arguments, iptrtoparams, false);

    //allocate som mem in remote process
    IntPtr lpAddress = VirtualAllocEx(this.processHandle, IntPtr.Zero, (IntPtr)Marshal.SizeOf(arguments), AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite);

    if (lpAddress == IntPtr.Zero)
    {
        return 0;
    }

    if (WriteProcessMemory(this.processHandle, lpAddress, iptrtoparams, (uint)Marshal.SizeOf(arguments), 0) == 0)
    {
        return 0;
    }
    //Free up memory
    Marshal.FreeHGlobal(iptrtoparams);

    uint threadID = 0;
    IntPtr hThread = CreateRemoteThread(this.processHandle, IntPtr.Zero, 0, _functionPtr, lpAddress, 0, out threadID);
    if (hThread == IntPtr.Zero)
    {
        //throw new ApplicationException(Marshal.GetLastWin32Error().ToString());
        throw new Win32Exception();
    }
    WaitForSingleObject(hThread, 0xFFFFFFFF);
    // wait for thread to exit


    // get the thread exit code
    uint exitCode = 0;
    GetExitCodeThread(hThread, out exitCode);

    // close thread handle
    CloseHandle(hThread);

    return exitCode;
}

Answer 1

If I understand your code correctly, you inject UT8 encoded string into the other's process memory (I'm kind of surprised that it works).

Assuming it does work, in your C++ code you need to convert the UTF8 encoded byte array pointed by param to some kind of string that C++ understands.

One way to do it is to use MultiByteToWideChar

Another way is to use STL. I found a question about it here .

Answer 2

And the answer to the cast problem was:

struct tagRemoteThreadParams *tData = (struct tagRemoteThreadParams *)param;

Thank you for the help guys