Why CreateRemoteThread don't work at win10?

Question

Why CreateRemoteThread don't work at win10?

I have some code that works fine at win 7.

class Program {
    static void Main(string[] args) {
        IntPtr hwnd = IntPtr.Zero;
        hwnd = FindWindowEx(IntPtr.Zero, hwnd, "notepad++", null);

        int process_id;
        GetWindowThreadProcessId(hwnd, out process_id);

        var OpenedProcessHandle = OpenProcess(0x001F0FFF/*All*/, false, process_id);
        int alloc_address = VirtualAllocEx(OpenedProcessHandle, 0, 2500, 0x1000/*Commit*/, 0x40/*ExecuteReadWrite*/);
        var FuncAllocMemory = alloc_address;

        var asmStr = "";
        asmStr = asmStr + "60"; //Pushad
        asmStr = asmStr + "6A10"; //push 0x10
        asmStr = asmStr + "61"; //Popad
        asmStr = asmStr + "C3"; //Ret

        byte[] arrAsm = new byte[asmStr.Length / 2];
        for (int i = 0; i <= arrAsm.Length - 1; i++) {
            arrAsm[i] = Convert.ToByte(Int32.Parse(asmStr.Substring(i * 2, 2), System.Globalization.NumberStyles.AllowHexSpecifier));
        }

        int tmpInt;
        WriteProcessMemory(OpenedProcessHandle, FuncAllocMemory, arrAsm, arrAsm.Length, out tmpInt);

        IntPtr tmpIntPtr;
        CreateRemoteThread(OpenedProcessHandle, IntPtr.Zero, 0, FuncAllocMemory, IntPtr.Zero, 0, out tmpIntPtr);

        VirtualFreeEx(OpenedProcessHandle, FuncAllocMemory, 2500, 0x8000/*Release*/);

        Console.WriteLine("end");
        Console.ReadLine();
    }

    [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    public static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow);

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(int dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    public static extern int VirtualAllocEx(IntPtr hProcess, Int32 lpAddress, Int32 dwSize, int flAllocationType, int flProtect);

    [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    public static extern IntPtr GetWindowThreadProcessId(IntPtr hWnd, out int lpdwProcessId);

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    public static extern bool VirtualFreeEx(IntPtr hProcess, Int32 lpAddress, Int32 dwSize, int dwFreeType);

    [DllImport("kernel32.dll")]
    public static extern bool WriteProcessMemory(IntPtr hProcess, Int32 lpBaseAddress, [In, Out] Byte[] buffer, Int32 nSize, out Int32 lpNumberOfBytesWritten);

    [DllImport("kernel32.dll")]
    public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, int dwStackSize, Int32 lpStartAddress, IntPtr lpParameter, int dwCreationFlags, out IntPtr lpThreadId);
}

But this code doesn't work at win 10. What I do wrong? Application event:

Faulting application name: notepad++.exe, version: 7.6.2.0, time stamp: 0x5c2a9ff0

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

c#

winapi

createremotethread

asked on Stack Overflow Jan 9, 2019 by

FriendsKenny • edited Jan 9, 2019 by

FriendsKenny

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0