Hi everyone, I'm trying to start an exe from memory but at the moment
I need this because for a customer we need to crypt the exe and then launch it without decrypting it to disk
The technique I'm trying to use is to create a process in suspended mode and then change the image
of the process with my exe and then resume the thread
I'm stuck at the GetThreadContext function which give me a
87 error (The parameter is incorrect)
Can anyone help me?
Here is the code:
STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
if(CreateProcess(L"calc.exe", NULL,NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi))
{
CONTEXT ctx;
ctx->ContextFlags=CONTEXT_FULL;
GetThreadContext (pi->hThread, ctx);
GetError ("GetThreadContext");
I've read on MSDN this:
A 64-bit application can retrieve the context of a WOW64 thread using the Wow64GetThreadContext function.
and
WOW64: The handle must also have THREAD_QUERY_INFORMATION access.
And I have two questions:
1) I am using Windows 7 Ultimate x64, but my project is compiled as Win32, and the exe I have to load is 32bit
so: do i have to use GetThreadContext or Wow64GetThreadContext?
2) How do I create a security descriptor with THREAD_QUERY_INFORMATION?
Or if you can point me to some working source code for x64 to study...
Thanks in advance for your help
I performed a test using this code compiled in win32 on x64 Windows 7 RTM.
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if(CreateProcess(L"c:\\windows\\SysWOW64\\calc.exe", NULL, NULL, NULL,
FALSE, CREATE_SUSPENDED,
NULL, NULL, &si, &pi))
// [ or ]
// if(CreateProcess(L"c:\\windows\\system32\\calc.exe", NULL, NULL,
NULL, FALSE, CREATE_SUSPENDED,
// NULL, NULL, &si, &pi))
{
CONTEXT ctx;
ctx.ContextFlags=CONTEXT_FULL;
if (!GetThreadContext(pi.hThread, &ctx))
{
DWORD err = GetLastError();
printf("%d", err);
}
}
I do not get any errors. Could you please let me know your test result?
Should I target the code to x64?
Regards,
Jialiang Ge (jia...@online.microsoft.com, remove 'online.')
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
However thank for your help... Do you know if there is some other piece of source code
to try?
Thanks in advance
Do you mean that the code in my last reply does not work on your side? What
error do you see?
However can you point me to some working code that I can study on how to launch an exe in memory using Win32 API?
Thanks in advance