Closing a handle of another process.
Posted: Tue Sep 28, 2004 4:25 pm
Hello mathias and everyone!
I'm trying to close a handle from another process, and I decided that the best method of doing this is using RemoteExecute.
Heres the function that will be copied:
Before I call RemoteExecute, I patch the function FecharHandle to close the correct handle instead of $11111111:
And now I execute the function in the context of the other process:
RemoteExecute is returning True, but the handle didn't gets closed. Why? Do I have to patch the CloseHandle to call the original API or does RemoteExecute does that for me? Why this don't work?
Heres the disassembled version of my FecharHandle function:
Thank you!!!
I'm trying to close a handle from another process, and I decided that the best method of doing this is using RemoteExecute.
Heres the function that will be copied:
Code: Select all
function FecharHandle( params: Pointer ): dword; stdcall;
begin
CloseHandle( $11111111 );
end;
Code: Select all
hProc := OpenProcess( PROCESS_ALL_ACCESS, False, GetCurrentProcessId );
WriteProcessMemory( hProc, Pointer( Cardinal( @FecharHandle ) + 5 ), @HandleToClose, SizeOf( Cardinal ), Written );
CloseHandle( hProc );
Code: Select all
RemoteExecute( TargetHandle, FecharHandle, AnyCardinal )
Heres the disassembled version of my FecharHandle function:
Code: Select all
0054056C /. 55 PUSH EBP
0054056D |. 8BEC MOV EBP,ESP
0054056F |. 53 PUSH EBX
00540570 |. 68 11111111 PUSH 11111111 ; /hObject = 11111111
00540575 |. E8 8A6AECFF CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
0054057A |. 8BC3 MOV EAX,EBX
0054057C |. 5B POP EBX
0054057D |. 5D POP EBP
0054057E \. C2 0400 RETN 4