API tools faq
paste
Advertisement
cloverleafswag3

Calling Other Processes Functions

cloverleafswag3
Jul 13th, 2015
282
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 2.78 KB | None | 0 0
raw download clone embed print report
  1. // 32 bit procceses only
  2. // only cdecl functions
  3. // took some of this from some injector source
  4.  
  5. #define MAX_CALLER_ARGUMENTS 16
  6. typedef struct _CALLER_ARGUMENTS {
  7.     PVOID lpAddress;
  8.     DWORD dwArguments[MAX_CALLER_ARGUMENTS];
  9. } CALLER_ARGUMENTS, *PCALLER_ARGUMENTS;
  10.  
  11. #pragma optimize("", off)
  12. DWORD caller(PCALLER_ARGUMENTS cargs) {
  13.     return ((DWORD (__cdecl *)(...))cargs->lpAddress)(cargs->dwArguments[0], cargs->dwArguments[1], cargs->dwArguments[2], cargs->dwArguments[3], cargs->dwArguments[4], cargs->dwArguments[5], cargs->dwArguments[6], cargs->dwArguments[7], cargs->dwArguments[8], cargs->dwArguments[9], cargs->dwArguments[10], cargs->dwArguments[11], cargs->dwArguments[12], cargs->dwArguments[13], cargs->dwArguments[14], cargs->dwArguments[15]);
  14. }
  15. #pragma optimize("", on)
  16.  
  17. PVOID GetProcessBaseAddress(HANDLE hProcess) {
  18.     HANDLE ModuleSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(hProcess));
  19.     MODULEENTRY32 ModuleEntry;
  20.     ModuleEntry.dwSize = sizeof(MODULEENTRY32);
  21.     Module32First(ModuleSnapshot, &ModuleEntry);
  22.     return ModuleEntry.modBaseAddr;
  23. }
  24.  
  25. HANDLE OpenProcess(LPCSTR ProcessName) {
  26.     HANDLE ProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  27.     PROCESSENTRY32 ProcessEntry;
  28.     ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
  29.     Process32First(ProcessSnapshot, &ProcessEntry);
  30.     do {
  31.         if(!strcmp(ProcessEntry.szExeFile, ProcessName)) {
  32.             return OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessEntry.th32ProcessID);
  33.         }
  34.     } while(Process32Next(ProcessSnapshot, &ProcessEntry));
  35. }
  36.  
  37. DWORD call_remote_function(HANDLE hProcess, PVOID lpAddress, DWORD cArguments, ...) {
  38.     LPVOID lpCallerAddress = VirtualAllocEx(hProcess, NULL, 0x7F, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  39.     WriteProcessMemory(hProcess, lpCallerAddress, caller, 0x7F, NULL);
  40.  
  41.     CALLER_ARGUMENTS cargs;
  42.     cargs.lpAddress = (PVOID)((DWORD)GetProcessBaseAddress(hProcess) + (DWORD)lpAddress);
  43.    
  44.     va_list vl;
  45.     va_start(vl, cArguments);
  46.     for(DWORD i = 0; i < cArguments; i++) {
  47.         cargs.dwArguments[i] = va_arg(vl, DWORD);
  48.     }
  49.     va_end(vl);
  50.  
  51.     LPVOID lpCallerArgumentsAddress = VirtualAllocEx(hProcess, NULL, sizeof(CALLER_ARGUMENTS), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  52.     WriteProcessMemory(hProcess, lpCallerArgumentsAddress, &cargs, sizeof(CALLER_ARGUMENTS), NULL);
  53.  
  54.     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0x1000, (LPTHREAD_START_ROUTINE)lpCallerAddress, lpCallerArgumentsAddress, 0, NULL);
  55.     WaitForSingleObject(hThread, INFINITE);
  56.     DWORD dwReturn = 0;
  57.     GetExitCodeThread(hThread, &dwReturn);
  58.  
  59.     VirtualFreeEx(hProcess, lpCallerAddress, 0x7F, MEM_RELEASE);
  60.     VirtualFreeEx(hProcess, lpCallerArgumentsAddress, sizeof(CALLER_ARGUMENTS), MEM_RELEASE);
  61.  
  62.     return dwReturn;
  63. }
  64.  
  65. DWORD remote_foo(DWORD a) {
  66.     return call_remote_function(OpenProcess("B.exe"), (PVOID)0x1000, 1, a);
  67. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!