Return value

wootie · **Posted:** Tue Feb 14, 2012 4:00 pm

I'm trying to call a function with the appropriate arguments inside a process remotely and somehow retrieve the return value which the function outputs. So far i'm capable of calling a function with arguments, like this.

Code: Select all

   DWORD read;
   BYTE AsmStub[] = {
   0x68, 00,00,00,00, 
   0xB8, 00,00,00,00, // MOV EAX, 0x00
   0xFF, 0xD0,         // Call Eax
   0xC3,
   };
   

   *(DWORD*)&AsmStub[1] = ;
   *(DWORD*)&AsmStub[6] = ;

   LPVOID Address = VirtualAllocEx(handle, NULL, sizeof(AsmStub), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
   WriteProcessMemory(handle, Address, AsmStub, sizeof(AsmStub), &read);
   HANDLE pHandle = CreateRemoteThread(handle, NULL, sizeof(DWORD), (LPTHREAD_START_ROUTINE)Address, NULL, NULL, NULL);
   WaitForSingleObject(pHandle,INFINITE);
   CloseHandle(pHandle);
   VirtualFreeEx(handle, (LPVOID)Address, sizeof(AsmStub), MEM_RELEASE);

I'm aware that the credit for this apporach belongs to someone else.

So how can i achieve the return value?

Shaggi · **Joined:** Mon Jul 13, 2009 5:13 pm **Location:** Denmark

Code: Select all

   WaitForSingleObject(pHandle,INFINITE);
   DWORD nReturnCode;
   GetExitCodeThread(pHandle,&nReturnCode); //return value is stored in nReturnCode now.
   CloseHandle(pHandle);

wootie · **Posted:** Thu Feb 16, 2012 1:20 pm

Thanks for the suggestion, Shaggi

However, I'm not able to fetch any value from it other than 0xcccccccc which should indicate that the variable is on the stack as declared, but not initialized. So i don't think GetExitCodeThread() is providing any info. Do i need to pass any security attributes to CreateRemoteThread() in order to grab it? I've already loaded the common LoadSeDebugPrivilege() for the process. I'm kinda lost...

Shaggi · **Joined:** Mon Jul 13, 2009 5:13 pm **Location:** Denmark

wootie » Thu Feb 16, 2012 1:20 pm wrote:

Thanks for the suggestion, Shaggi

However, I'm not able to fetch any value from it other than 0xcccccccc which should indicate that the variable is on the stack as declared, but not initialized. So i don't think GetExitCodeThread() is providing any info. Do i need to pass any security attributes to CreateRemoteThread() in order to grab it? I've already loaded the common LoadSeDebugPrivilege() for the process. I'm kinda lost...

After your little stub returns, what remains in eax is what getexitcodethread returns - the value of eax. You are sure your function returns in eax? Ie. not floating point values or something?
Yes, 0xCCCCCCCC usually means uninitialized variables in debug versions (at least from msvc, that is). Therefore you should probably look at your functions signature, and check whether it's correct, it seems like you are messing with the stack. Did you write the function that you are trying to call?

TheUnknownSoldier · **Posted:** Wed Feb 22, 2012 3:22 pm

just FYI, your asm is wrong, any thread entry has the sig (under 32bit windows):

Code: Select all

DWORD __stdcall (void*)

your asm doesn't clean up the void* param pushed to the thread entry, this will probably lead to your thread triggering an exception or such, which is probably why you can't get the exit code

Blizzhackers

Return value

Who is online