Thread: CreateRemoteThread = AccessViolation?

Hey, I have spent the past two days trying to get RemoteThreads to work..

I have learnt quite a bit about it, and have made quite an improvement, considering when i first started out, i had no idea and did not understand the concept of a remote thread.

But im kind of stuck and could really use some words of wisdom lol

Heres what i have so far:

Code:

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, afxcodehook;

type
  TForm1 = class(TForm)
    procedure FormCreate(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

//structure to pass data to remote procedure
type
  TRemoteInfo = record
    MessageBox: function(hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;
    GetModuleHandle: function(lpModuleName: PChar): HMODULE; stdcall;
    LoadLibrary: function(lpLibFileName: PChar): HMODULE; stdcall;
    GetProcAddress: function(hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;
    ExitProcess: procedure(uExitCode: UINT); stdcall;
    User32: pchar;
    MessageBoxA: pchar;
    Text: pchar;
    Title: pchar;
    Button: dword;

    //API's:
    _RegOpenKeyEx: function(Key : HKEY; lpSubKey : LPCTSTR; ulOptions : DWORD; samDesired : REGSAM; phkResult  : PHKEY): longint; stdcall;
    _RegDeleteValue: function(Key : HKEY; lpValueName : LPCTSTR): longint; stdcall;
    _RegCloseKey: function(Key : HKEY): longint; stdcall;
    //strings:
    WhichKey: string;
    SubKey,
    ValueName: PChar;

  end;

//procedure that runs injected inside another process
procedure RemoteThread(RemoteInfo: pointer); stdcall;
begin
  with TRemoteInfo(RemoteInfo^) do
  begin
    @MessageBox := GetProcAddress(GetModuleHandle(User32), MessageBoxA);
    if @MessageBox = nil then @MessageBox := GetProcAddress(LoadLibrary(User32), MessageBoxA);
    Button := MessageBox(0, Text, Title, MB_YESNO);
  end;
end;

//procedure that runs injected inside another process
procedure DeleteValue(RemoteInfo: pointer); stdcall;
var
  Resalt: bool;
  phkResult, Key: HKEY;
begin
  with TRemoteInfo(RemoteInfo^) do
  begin

    if WhichKey = 'HKCU' then
      Key := HKEY_CURRENT_USER
      else
      Key := HKEY_LOCAL_MACHINE;
        try
          Resalt := False;
          if RegOpenKeyEx(Key, SubKey, 0, KEY_SET_VALUE, phkResult) = ERROR_SUCCESS then
          begin

            Resalt := RegDeleteValue(phkResult, ValueName) = ERROR_SUCCESS;

            RegCloseKey(phkResult);

          end;
        finally

        end;
  end;
end;

procedure RemoteExecute(WhichKey,SubKey,ValueName:PChar);
const
  User32: pchar = 'user32';
  MessageBoxA: pchar = 'MessageBoxA';
  Title: pchar = 'afxCodeHook';
  Text: pchar = 'hello from notepad :)';
var
  RemoteInfo: TRemoteInfo;
  Process: dword;
  StartInfo: TStartupInfo;
  ProcInfo: TProcessInformation;
begin
  //create a process for testing
  ZeroMemory(@StartInfo, SizeOf(TStartupInfo));
  StartInfo.cb := SizeOf(TStartupInfo);
  CreateProcess(nil, 'notepad.exe', nil, nil, False, 0, nil, nil, StartInfo, ProcInfo);
  Process := ProcInfo.hProcess;

  //copy our strings into the remote process
  RemoteInfo.User32 := InjectString(Process, User32);
  RemoteInfo.MessageBoxA := InjectString(Process, MessageBoxA);
  RemoteInfo.Text := InjectString(Process, Text);
  RemoteInfo.Title := InjectString(Process, Title);

  RemoteInfo.WhichKey := InjectString(Process, WhichKey);
  RemoteInfo.SubKey := InjectString(Process, SubKey);
  RemoteInfo.ValueName := InjectString(Process, ValueName);


  //copy our API addresses to pass to the remote process
  @RemoteInfo.GetModuleHandle := GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA');
  @RemoteInfo.LoadLibrary := GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA');
  @RemoteInfo.GetProcAddress := GetProcAddress(GetModuleHandle('kernel32'), 'GetProcAddress');
  @RemoteInfo.ExitProcess  := GetProcAddress(GetModuleHandle('kernel32'), 'ExitProcess');

  //RegDelete API's
  @RemoteInfo._RegOpenKeyEx  := GetProcAddress(GetModuleHandle('advapi32'), 'RegOpenKeyExA');
  @RemoteInfo._RegDeleteValue  := GetProcAddress(GetModuleHandle('advapi32'), 'RegDeleteValueA');
  @RemoteInfo._RegCloseKey  := GetProcAddress(GetModuleHandle('advapi32'), 'RegCloseKey');

  //inject our function and data into the process
  InjectThread(Process, @DeleteValue, @RemoteInfo, SizeOf(TRemoteInfo), True);

  //kill notepad
  TerminateProcess(Process, 0);
end;

procedure TForm1.FormCreate(Sender: TObject);
begin
  RemoteExecute('HKCU','Software\Microsoft\Windows\Current Varsion\Run','msnmsgr');
end;

end.

When i try the above, this is what i am presented with:




I dont see what i have done wrong and i would really appreciate your help as i have waisted 2 days non stop trying to get a remote thread to work!

Thanks for reading my thread and getting back to me.

Kind Regards



PS: Here is the uploaded project (Delphi 7) Remote-Delete2.zip

you cant inject a function with multiple params like that, change your function like to this

Code:

DeleteValue(RI : RemoteInfo);

and pass all the params in the "RemoteInfo" structure.

Code:

InjectThread(Process, @DeleteValue, @RemoteInfo, etc...

and call them like "PI.SubKey" etc. [edit] "with TRemoteInfo(RemoteInfo^) do" works fine too.

Thanks cracksman, updated the thread. Still having the Access Violation error thing.

Anyone have an idea of what might be going wrong?

Okay, updated the code, cant edit the OP so here is the new one (still has the Access Violation error!):

Code:

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, afxcodehook;

type
  TForm1 = class(TForm)
    procedure FormCreate(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

//structure to pass data to remote procedure
type
  TRemoteInfo = record
    MessageBox: function(hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;
    GetModuleHandle: function(lpModuleName: PChar): HMODULE; stdcall;
    LoadLibrary: function(lpLibFileName: PChar): HMODULE; stdcall;
    GetProcAddress: function(hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;
    ExitProcess: procedure(uExitCode: UINT); stdcall;
    User32: pchar;
    MessageBoxA: pchar;
    Text: pchar;
    Title: pchar;
    Button: dword;

    //API's:
    _RegOpenKeyEx: function(Key : HKEY; lpSubKey : LPCTSTR; ulOptions : DWORD; samDesired : REGSAM; phkResult  : PHKEY): longint; stdcall;
    _RegDeleteValue: function(Key : HKEY; lpValueName : LPCTSTR): longint; stdcall;
    _RegCloseKey: function(Key : HKEY): longint; stdcall;
    //strings:
    WhichKey  : string;
    SubKey,
    ValueName,
    HKCU      : PChar;

  end;

//procedure that runs injected inside another process
procedure RemoteThread(RemoteInfo: pointer); stdcall;
begin
  with TRemoteInfo(RemoteInfo^) do
  begin
    @MessageBox := GetProcAddress(GetModuleHandle(User32), MessageBoxA);
    if @MessageBox = nil then @MessageBox := GetProcAddress(LoadLibrary(User32), MessageBoxA);
    Button := MessageBox(0, Text, Title, MB_YESNO);
  end;
end;

//procedure that runs injected inside another process
procedure DeleteValue(RemoteInfo: pointer); stdcall;
var
  Resalt: bool;
  phkResult, Key: HKEY;
begin
  with TRemoteInfo(RemoteInfo^) do
  begin

    if WhichKey = HKCU then
      Key := HKEY_CURRENT_USER
      else
      Key := HKEY_LOCAL_MACHINE;
        try
          Resalt := False;
          if RegOpenKeyEx(Key, SubKey, 0, KEY_SET_VALUE, phkResult) = ERROR_SUCCESS then
          begin

            Resalt := RegDeleteValue(phkResult, ValueName) = ERROR_SUCCESS;

            RegCloseKey(phkResult);

          end;
        finally

        end;
  end;
end;

procedure RemoteExecute(WhichKey,SubKey,ValueName:PChar);
const
  User32: pchar = 'user32';
  MessageBoxA: pchar = 'MessageBoxA';
  Title: pchar = 'afxCodeHook';
  Text: pchar = 'hello from notepad :)';
var
  RemoteInfo: TRemoteInfo;
  Process: dword;
  StartInfo: TStartupInfo;
  ProcInfo: TProcessInformation;
begin
  //create a process for testing
  ZeroMemory(@StartInfo, SizeOf(TStartupInfo));
  StartInfo.cb := SizeOf(TStartupInfo);
  CreateProcess(nil, 'notepad.exe', nil, nil, False, 0, nil, nil, StartInfo, ProcInfo);
  Process := ProcInfo.hProcess;

  //copy our strings into the remote process
  RemoteInfo.User32 := InjectString(Process, User32);
  RemoteInfo.MessageBoxA := InjectString(Process, MessageBoxA);
  RemoteInfo.Text := InjectString(Process, Text);
  RemoteInfo.Title := InjectString(Process, Title);

  RemoteInfo.WhichKey := InjectString(Process, WhichKey);
  RemoteInfo.SubKey := InjectString(Process, SubKey);
  RemoteInfo.ValueName := InjectString(Process, ValueName);
  RemoteInfo.HKCU := InjectString(Process, 'HKCU');

  //copy our API addresses to pass to the remote process
  @RemoteInfo.GetModuleHandle := GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA');
  @RemoteInfo.LoadLibrary := GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA');
  @RemoteInfo.GetProcAddress := GetProcAddress(GetModuleHandle('kernel32'), 'GetProcAddress');
  @RemoteInfo.ExitProcess  := GetProcAddress(GetModuleHandle('kernel32'), 'ExitProcess');

  //RegDelete API's
  @RemoteInfo._RegOpenKeyEx  := GetProcAddress(GetModuleHandle('advapi32'), 'RegOpenKeyExA');
  @RemoteInfo._RegDeleteValue  := GetProcAddress(GetModuleHandle('advapi32'), 'RegDeleteValueA');
  @RemoteInfo._RegCloseKey  := GetProcAddress(GetModuleHandle('advapi32'), 'RegCloseKey');

  //inject our function and data into the process
  InjectThread(Process, @DeleteValue, @RemoteInfo, SizeOf(TRemoteInfo), False);

  //kill notepad
  TerminateProcess(Process, 0);
end;

procedure TForm1.FormCreate(Sender: TObject);
begin
  RemoteExecute('HKCU','Software\Microsoft\Windows\Current Varsion\Run','msnmsgr');
end;

end.

you probably need to enable debugprivileges

found on google delphi version;

Code:

function LoadSeDebugPrivilege : boolean;
var hToken : cardinal;
    Val : int64;
    tp : TTokenPrivileges;
    h : DWORD;
begin
  if not(OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY ,hToken)) then
    result := false
  else
  begin
    if not(LookupPrivilegeValue(nil,SE_DEBUG_NAME,val))then
    begin
      CloseHandle(hToken);
      result := False;
    end
    else
    begin
      h := 0;
      tp.PrivilegeCount := 1;
      tp.Privileges[0].Luid := val;
      tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
      result := AdjustTokenPrivileges(hToken,False,tp,sizeof(tp),PTokenPrivileges(nil)^,h);
      CloseHandle(hToken);
    end;
  end;
end;

Hey, thanks, im going to try that...

But here is where i got the example from :
http://www.delphibasics.info/home/de...edureinjection

And that example works as it is without debug privilages...

Originally Posted by bigrig

you probably need to enable debugprivileges

found on google delphi version;

Code:

function LoadSeDebugPrivilege : boolean;
var hToken : cardinal;
    Val : int64;
    tp : TTokenPrivileges;
    h : DWORD;
begin
  if not(OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY ,hToken)) then
    result := false
  else
  begin
    if not(LookupPrivilegeValue(nil,SE_DEBUG_NAME,val))then
    begin
      CloseHandle(hToken);
      result := False;
    end
    else
    begin
      h := 0;
      tp.PrivilegeCount := 1;
      tp.Privileges[0].Luid := val;
      tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
      result := AdjustTokenPrivileges(hToken,False,tp,sizeof(tp),PTokenPrivileges(nil)^,h);
      CloseHandle(hToken);
    end;
  end;
end;

Nope, same error still

Hey again all,

Here is another attempt from me, i tried to follow what has been done here : http://leetcoders.org/forum/showthread.php?tid=885

Here is the new uploaded project, it does not give any errors, BUT nothing happens and the registry key is NOT deleted!

if anyone spots a mistake, i would really appreciate it if you could tell me.

EXAMPLE REMOTE.zip

Its 5.17AM now so i think ill leave this for tomorrow, been trying to do it all day

Software\Microsoft\Windows\Current Varsion\Run
Current Varsion
Varsion



its

Code:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

lol

"Its 5.17AM now"

at that time, typo is ok hahaha