C++

Forum

 
How to use QueueUserAPC instead of CreateRemotheThread

omarespanol (47)
Hello hi i did a small injector but now i want to use QueueUserAPC, documentation:
https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684954(v=vs.85).aspx

My problem is how i can change createremotethread for QueueUserAPC because i will use the same thread but the other data i dont know how to include it..
1
2
3
4
5
 
DWORD WINAPI QueueUserAPC(
  _In_ PAPCFUNC  pfnAPC,
  _In_ HANDLE    hThread,
  _In_ ULONG_PTR dwData
);



So my code is the follow:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Tlhelp32.h>
#include <wchar.h>
#include <iostream>
using namespace std;

void error(char *err);

HANDLE myProc = NULL;

void error(char *err)
{
 if (myProc != NULL) CloseHandle(myProc);
 printf("%s", err);
 exit(0);
}

HANDLE Startpausedprocess( char* cmd, PHANDLE ptr_thread ) // cleaned up a bit, but no RAII
{
    if( ptr_thread == nullptr ) return nullptr ;

    PROCESS_INFORMATION pi;
    STARTUPINFOA si {} ; // initialize with zeroes.
    si.cb = sizeof(STARTUPINFOA);

    if( !CreateProcessA( nullptr, cmd, nullptr, nullptr, false, CREATE_SUSPENDED,
                         nullptr, nullptr, std::addressof(si), std::addressof(pi) ) )
    {
        std::cerr << "CreateProcess failed, " << GetLastError() << '\n' ;
        *ptr_thread = nullptr ;
        return nullptr;
    }

    *ptr_thread = pi.hThread;
    return pi.hProcess;
}


int main(int argc, char *argv[])
{
 char cmd[] = "taskmgr.exe" ; // note: non-const (writeable array)
    HANDLE thread = nullptr ;
    auto myProc=Startpausedprocess( cmd, std::addressof(thread) ) ;
  if(myProc)
    {
        //std::cout << "press enter to resume process... " && std::cin.get() ;
        ResumeThread(thread) ;

        //CloseHandle(thread) ;
        //CloseHandle(myProc) ;
    }

  // Reservar memoria para el argumento (ruta de la DLL)
  char thData[] = "dllmain.dll";
  LPVOID dirToArg = VirtualAllocEx(myProc, NULL, strlen(thData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  if (dirToArg == NULL)
   error("[-] Error reservando memoria para argumento.\n");
  else
   printf("[+] Memoria reservada para argumento (%i bytes).\n", strlen(thData));


  // Escribir la ruta de la DLL en la memoria reservada
  SIZE_T written = 0;
  if (WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, strlen(thData), &written) == 0)
   error("[-] Error escribiendo memoria.\n");
  else
   printf("[+] Memoria escrita (arg %i bytes).\n", written);
  //Lanzar un hilo con LoadLibrary
  //Load the DLL
  //Load the DLL
  HANDLE rThread = CreateRemoteThread(myProc, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary(L"Kernel32.dll"), "LoadLibraryA"), dirToArg, NULL, NULL);
  if (rThread == NULL)
   error("[-] Error creando el hilo.\n");
  else
   printf("[+] Hilo creado.\n");
  CloseHandle(rThread);
}


In my case i want something like this but adapted at my code..
QueueUserAPC((PAPCFUNC)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"), hThread, (ULONG_PTR)lpBaseAddress);
i want to change it for QueueUserAPC and the argument correctly for my code.
Last edited on
helios (17574)
From the MSDN article you posted:
The APC support provided in the operating system allows an application to queue an APC object to a thread. To ensure successful execution of functions used by the APC, APCs should be queued only to threads in the caller's process.
In other words, you can't use asynchronous procedure calls to inject code into remote processes.
omarespanol (47)
so i can't use asynchronous procedure calls to inject code into remote processes.
Ok thx.
Topic archived. No new replies allowed.