-1

I'm reflectively injecting a dll into another processes's memory, and I need to call CreateThread() obviously. I'm passing certain parameters to the dll that I'm injecting using my loader_data struct. I have certain variables I need to pass such as sizes of a chunk of memory, etc. These all get delivered to my injected dll successfully, however when passing a char* into my struct it ends up as empty to my injected dll in the reserved parameter of DllMain.

loader_data_t *parameter = new loader_data_t();
... initialize variables.

lpRemoteLibraryBuffer3 = VirtualAllocEx(proc, NULL, sizeof(loader_data_t), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

WriteProcessMemory(proc, lpRemoteLibraryBuffer3, parameter, sizeof(loader_data_t), NULL);

That's how I'm allocating space for the parameter.

typedef struct loader_data_t {
    char *chunk;
    int chunk_size;
    ULONG_PTR reloc_address;
};

And that is the struct that I'm passing. I'm definitely initializing it correctly, I've checked to make sure that everything is getting set correctly. However, when it gets passed to the reserved parameter in DllMain, all other variables are correct except the char* chunk variable. I'm really confused, excuse the possibly vague title.

pangea
  • 3
  • 1
  • 4
  • 1
    *"I'm definitely initializing it correctly"* - Maybe, maybe not. We don't know. Show a [mcve]. – IInspectable Dec 09 '18 at 08:46
  • Problem already solved. Not to be rude or anything, but you could've deduced from my question. SoronelHaetir helped me already. – pangea Dec 09 '18 at 17:42
  • I cannot deduce anything from code I cannot see. And even if *I* were clairvoyant, the next reader may not be. Not to be rude or anything, but now would be a good time to take the [tour] and read [ask]. – IInspectable Dec 09 '18 at 18:09
  • Chunk was already initialized in my "... initialize variables" code. Why wouldn't I have double checked? Already did and stated that they were already initialized. SoronelHaetir answered my question already. But you are right, I will take time to read the How to Ask. It is my first time on here. – pangea Dec 09 '18 at 18:40
  • Yes, that's what you said. You also said that it was *correctly* initialized, which apparently it wasn't. It is neither our job to guess, which parts of your description are genuine and which ones are lies, nor does it help future readers that now have to guess, whether this matches their problem. – IInspectable Dec 09 '18 at 18:54

1 Answers1

2

Assuming you set 'chunk' in the initialize data code then the pointer in the remote address space will be referencing the address in the local process.

The easy way to get around this would be to make chunk an array (probably the last member of the struct) and allocate a block large enough to hold chunk's data.

More complicated would be to allocate a second block in the remote process for chunk's data, copy the data to that block write that address to the local instance's chunk member and only then write the local struct to the remote process.

SoronelHaetir
  • 14,104
  • 1
  • 12
  • 23
  • Thank you so much. I was too stupid to realize that the char* variable is pointing to a ptr in the injector rather than the remote process. – pangea Dec 09 '18 at 17:12