How to call a function with parameters in a remote thread (LdrLoadDll)

S

seriouscope2021-11-07 13:34:26

C++ / C#

seriouscope, 2021-11-07 13:34:26

How to call a function with parameters in a remote thread (LdrLoadDll) - nativeApi?

Hello, I'm learning nativeApi for the first time and I can't correctly pass parameters for LdrLoadDll Code
example below - injector only instead of LoadLibraryW - LdrLoadDll (LoadLibraryW works with NtCreateThreadEx unlike LdrLoadDll)
However, the injector crashes the process into which it should inject, find working examples NtCreateThreadEx(RtlCreateUserThread) +LdrLoadDll failed for me((

#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")

using namespace std;

EXTERN_C NTSYSAPI NTSTATUS NTAPI NtCreateThreadEx(PHANDLE,
    ACCESS_MASK, LPVOID, HANDLE, LPVOID, LPVOID,
    BOOL, SIZE_T, SIZE_T, SIZE_T, LPVOID);

typedef HMODULE(__stdcall* _LdrLoadDll)(
    wchar_t* PathToFile,
    unsigned long Flags,
    PUNICODE_STRING ModuleFileName,
    PHANDLE* ModuleHandle
    );

typedef NTSTATUS(NTAPI* _RtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);

typedef struct _THREAD_DATA
{
    _RtlInitUnicodeString RtlInitUnicodeString;
    _LdrLoadDll LdrLoadDll;
    UNICODE_STRING UnicodeString;
    wchar_t DllName[260];
    PWCHAR DllPath;
    ULONG Flags;
    PHANDLE ModuleHandle;
}THREAD_DATA;

static HANDLE WINAPI ThreadProc(THREAD_DATA* data)
{
    data->RtlInitUnicodeString(&data->UnicodeString, data->DllName);
    data->LdrLoadDll(data->DllPath, data->Flags, &data->UnicodeString, &data->ModuleHandle);
    return data->ModuleHandle;
}

int main()
{
    DWORD targetProcId = 4460; //Proc id to inject
    wchar_t targetDllPath[255] = L"DllTest32.dll"; //dll path to inject

    THREAD_DATA data;

    HANDLE targetOpened = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetProcId);

    data.LdrLoadDll = (_LdrLoadDll)GetProcAddress(GetModuleHandleA("ntdll.dll"), "LdrLoadDll");
    data.RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");

    LPVOID allocatedMemCode = VirtualAllocEx(targetOpened, 0, 3072, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(targetOpened, allocatedMemCode, ThreadProc, 3072, 0);

    LPVOID allocatedMemData = VirtualAllocEx(targetOpened, 0, 3072, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(targetOpened, allocatedMemData, &data, 3072, 0);

    HANDLE rt;
    NtCreateThreadEx(
        &rt, PROCESS_CREATE_THREAD, NULL, targetOpened,
        allocatedMemCode,
        allocatedMemData, FALSE, NULL, NULL, NULL, NULL);
}