Closing a handle of another process.

delphi package - getting into other processes
Post Reply
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Closing a handle of another process.

Post by nildo »

Hello mathias and everyone!
I'm trying to close a handle from another process, and I decided that the best method of doing this is using RemoteExecute.

Heres the function that will be copied:

Code: Select all

function FecharHandle( params: Pointer ): dword; stdcall;
begin
   CloseHandle( $11111111 );
end;
Before I call RemoteExecute, I patch the function FecharHandle to close the correct handle instead of $11111111:

Code: Select all

   hProc := OpenProcess( PROCESS_ALL_ACCESS, False, GetCurrentProcessId );
   WriteProcessMemory( hProc, Pointer( Cardinal( @FecharHandle ) + 5 ), @HandleToClose, SizeOf( Cardinal ), Written  );
   CloseHandle( hProc );
And now I execute the function in the context of the other process:

Code: Select all

RemoteExecute( TargetHandle, FecharHandle, AnyCardinal )
RemoteExecute is returning True, but the handle didn't gets closed. Why? Do I have to patch the CloseHandle to call the original API or does RemoteExecute does that for me? Why this don't work?

Heres the disassembled version of my FecharHandle function:

Code: Select all

0054056C  /. 55             PUSH EBP
0054056D  |. 8BEC           MOV EBP,ESP
0054056F  |. 53             PUSH EBX
00540570  |. 68 11111111    PUSH 11111111                            ; /hObject = 11111111
00540575  |. E8 8A6AECFF    CALL <JMP.&kernel32.CloseHandle>         ; \CloseHandle
0054057A  |. 8BC3           MOV EAX,EBX
0054057C  |. 5B             POP EBX
0054057D  |. 5D             POP EBP
0054057E  \. C2 0400        RETN 4
Thank you!!!
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

As far as I see it "+ 5" is incorrect, it should be "+ 4". Also doing OpenProcess(..., GetCurrentProcessId) is wrong. You want to close a handle in a remote process, not in your own, right?

Anyway, you're doing more work than you need to!!!

Code: Select all

function FecharHandle(handle: dword): dword; stdcall;
begin
   CloseHandle(handle);
end;

begin
  hProc := OpenProcess(PROCESS_ALL_ACCESS, False, remoteProcessId);
  RemoteExecute(hProc, @FecharHandle, AnyCardinal, pointer(handleToBeClosed));
That's it! You don't need to manipulate the FecharHandle function. Just let RemoteExecute transport the parameter for you.
Post Reply