I am trying create a tool for performing DLL-Injection
by writing the the DLL in the Memory of a running process using VirtualAclloc()
API and then finding the offset of the entrypoint and passing it to the CreateRemoteThread()
API by adding the entry point offset to the base address of the VirtualAlloc
function.
As I don't have any arguments that needs to be passed to lpStartAddress
while calling CreateRemoteThread()
, I initialized lpParameter
as NULL.
LPVOID lpParameter = NULL;
...
...
thread_handle = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)(base_address + offset), lpParameter, 0, NULL);
While compiling the code I am getting the error :
LPVOID: Unknown Size" and the message "Expression must be a pointer to a complete object type.
Is there a way I can pass the value of lpParameter
as NULL?
base_address + offset
adds offset*sizeof *base_address
bytes to the pointer base_address
. But if the type of base_address
is LPVOID
then *base_address
has no size, so this is an error. Have a look at the section on pointer arithmetic in your C++ book.
From the context I guess you should change base_address
to be char*
instead of LPVOID
. Or you could add a cast like this (LPTHREAD_START_ROUTINE)((char*)base_address + offset)
.
In this case you need to follow the below process:
below is the example code:
char* dllPath = "C:\\testdll.dll";
int procID = 16092;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (!hProcess) {
printf("Error: Process not found.\n");
}
LPVOID lpvLoadLib = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); /*address of LoadLibraryA*/
if (!lpvLoadLib) {
printf("Error: LoadLibraryA not found.\n");
}
LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dllPath)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); /*Initialize and Allocate memory to zero in target process address space*/
if (!lpBaseAddress) {
printf("Error: Memory was not allocated.\n");
}
SIZE_T byteswritten;
int result = WriteProcessMemory(hProcess, lpBaseAddress, (LPCVOID)dllPath, strlen(dllPath)+1, &byteswritten); /*Write the path of dll to an area of memory in a specified process*/
if (result == 0) {
printf("Error: Could not write to process address space.\n");
}
HANDLE threadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpvLoadLib, lpBaseAddress, NULL, NULL); /*lpStartAddress = lpvLoadLib address of LoadLibraryA function*/
if (!threadID) {
printf("Error: Not able to create remote thread.\n");
}
else {
printf("Remote process created...!");
}
hope this helps
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.