madshi.net

I don’t know.
Error code 0x800703e6 is HRESULT_FROM_WIN32(ERROR_NOACCESS) ("Invalid access to memory location.")

http://support.microsoft.com/kb/914232/en-us

Make sure you don’t hook/patch the Software Licensing Service.
http://www.microsoft.com/whdc/system/vi ... guide.mspx

since the CreateRemoteThread method works and has been tested on XP [...] As you already know, CreateRemoteThread is a bad idea for several reasons: Windows XP Professional for x64, different sessions due to Fast User Switching (FUS) or Windows Terminal Server (TS). You can/should use WMI on Window...

Win32_Process.CommandLine was introduced with Windows XP. Therefore, you still need a solution for previous Windows versions (read: previous WMI versions or Windows versions without WMI *g*).

I guess that Vista’s TaskManager just uses NtQueryInformationProcess(ProcessBasicInformation) to retrieve the PebBaseAddress and ReadProcessMemory() to query PEB.ProcessParameters.CommandLine. For WOW64 one would have to do some basic groundwork to get this information for native processes. msdn.mic...

FileRead/FileWrite are RTL functions (in your process). You should only use API functions (ReadFile/WriteFile).

The function which you want to have executed in the other process needs to follow some rules. Please read the documentation of CopyFunction to learn more about those rules.

Maybe this code snippet contains what you want: {$ALIGN ON} {$MINENUMSIZE 4} type TNtStatus = LongInt; TClientId = record UniqueProcess: Pointer; UniqueThread : Pointer; end; TMutantInformationClass = ( MutantBasicInformation, // 0 MutantOwnerInformation // 1 ); TMutantBasicInformation = record Curr...

Well, for ParseFunction one needs the entry point of the function (your task). This implies, that it is intended to analyze one function - not the whole program control flow (a job for IDA). The analyzed function could be followed by anything (e.g. hundreds and thousands of data bytes). topic: Back ...

Compilers are free to overlap any code sequences. So there might be no "next" function. Another problem are function "tails" (code fragments of a function outside of the function’s main "body" - e.g. MSVC’s PGO).

Have you found a way to list the handles of a process in a 32bit process on a 64bit OS? NtQuerySystemInformation fails listing the handles when run in a 32bit process, unfortunately... :( In the meantime I had some spare time to investigate it further... There is a quite simple (of course undocumen...

Are you hooking a 32-bit target on a 64-bit host?
Microsoft is free to use any function/code to create the process. Zw/NtCreateProcess(Ex) or Zw/Nt/RtlCreateUserProcess might not be used at all (from user mode).

IIRC Zw/NtCreateProcessEx was introduced with WinXP.

Rule of thumb: Do not trust any parameters. Before using Input as a PChar, make sure it *is* a pointer to a null-terminated character string. If you cannot verify this (can be hard or expensive), wrap the usage into try-except (but do not ignore unknown exceptions - this leads to other problems). My...

You have to validate parameters before using them. This function will raise an access violation in System.@LStrFromPChar if it is used like this:

lpName can be a string pointer or a resource identifier (see MakeIntResource).