Inject failing from 32bit -> 64bit process

delphi package - getting into other processes
Post Reply
geoffreys
Posts: 6
Joined: Tue Jan 30, 2007 9:44 am
Location: Australia

Inject failing from 32bit -> 64bit process

Post by geoffreys »

Hi madshi,

I'm recieving a Error 5, access denied injecting a function from a 32bit process into Explorer on 64bit Windows. The same code works fine on XP32bit, Terminal server 32bit and W2003 Server 32bit.

Is this because the source is 32bit and destination 64bit? Can you see a way around it?

Code used is:

Code: Select all

var
    params         : pointer;   // params in address space of target process
    processHandle : dword;
    result         : DWORD;    // result of remoted execution - ShellExecute() result

begin
  processHandle := OpenProcess(PROCESS_ALL_ACCESS, true, processID);
   ....verify handle etc..

    if NOT RemoteExecute(processHandle, @Remoted_StartProcess, {out} result, params, Length(targetCmd)+1 ) then
       raise Exception.CreateFmt('Remote injection failed. %s (%d)',
              [ SysErrorMessage(GetLastError), GetLastError ] );

end;


function Remoted_StartProcess(const commandLine: PCHAR) : DWORD; stdcall;
begin
  result := ShellAPI.ShellExecuteA(
    Windows.GetDesktopWindow(),	// handle to parent window
    nil,	// pointer to string that specifies operation to perform
    commandLine, 	// pointer to filename or folder name string
    nil,	// pointer to string that specifies executable-file parameters
    nil,	// pointer to string that specifies default directory
    SW_SHOWNORMAL 	// whether file is shown when opened
   );
end;
geoffreys
Posts: 6
Joined: Tue Jan 30, 2007 9:44 am
Location: Australia

Post by geoffreys »

Sorry, forgot to mention that running as domain admin and have checked the user has local admin privledges. Both debug and act as part of os privledges are enabled.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You cannot inject a 32bit dll into a 64bit process. You can only inject a 64bit dll into a 64bit process. But that's only one problem. Another problem is that a 32bit process in 64bit Windows is simply not able to create threads in 64bit processes. So a 32bit process is not able to inject a dll into a 64bit process by using remote threads.

I'm working on 64bit madCodeHook. It will allow you to inject dlls into both 32bit and 64bit processes. However, injection into 32bit processes will need to be done from a 32bit exe and the dll will have to be a 32bit dll. And injection into 64bit processes will need to be done from a 64bit exe and the dll will have to be a 64bit dll.

SetWindowsHookEx works in a similar way, btw.
Post Reply