Tough (?) programming question

May 20, 2008
9,708
67
Syracuse, NY, USA
I've long had this in my SYSUTILS plugin.
Code:
@PSET[pid,var[=[value]]]
get[unset[set]] variable in process <pid>
returns value (get/set) or var (unset) on success, else an empty string
And at home I have a PSET.EXE which is similar (and works well). Both work by injecting data and code into the target process and calling CreateRemoteThread.

I'm trying to do something similar (hence my program is still called PSET.EXE) and get another process (of my choosing) to CreateProcess (with an EXE of my choosing). FWIW, the remote code looks like this (pData is the remote data, properly initialized, and the Beep is only there as a test).
Code:
DWORD WINAPI remote_code( LPREMOTE_DATA pData )
{
    pData->bResult = pData->pBeep(440,200);
    pData->bResult = pData->pCreateProcessW(NULL, pData->szCommandLine,
            NULL, NULL, TRUE, 0, NULL, NULL, &(pData->si), &(pData->pi));
    return pData->bResult ? pData->pi.dwProcessId : 0;
}
I have met with a very odd mixture of success and failure.

This (in TCC)
Code:
pset.exe PID notepad
works if PID was started by the current TCC (I hear the beep and notepad starts). If PID wasn't started by the current TCC, I hear the beep (something worked) and PID crashes.

Note that it ALWAYS fails from CMD, even when CMD started the target process.

It's so strange! How can it depend on how the target process was started? Does anyone have any ideas?

Thanks!
 
May 20, 2008
9,708
67
Syracuse, NY, USA
I had that a bit wrong. My testing was with TCCv13 (started by a very old DevStudio).
Code:
pset.exe PID notepad
In fact, PSET.EXE fails when run from TCC version < 22 (or CMD). It works when run from TCC version >= 22 (and from Start\Run).

I still don't get it. Why should it depend on who starts PSET.EXE?
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
3,923
51
Albuquerque, NM
prospero.unm.edu
All the talk about launching an un-elevated process from an elevated TCC reminded me of a post in Raymond Chen's blog a few months back:

Apparently it's possible for Process A to use CreateProcess() to create Process B as if it were started by the unrelated Process X. I have not tried this myself. But if I understand it correctly, it should be possible to do what you want without injecting code.
 
May 20, 2008
9,708
67
Syracuse, NY, USA
All the talk about launching an un-elevated process from an elevated TCC reminded me of a post in Raymond Chen's blog a few months back:

Apparently it's possible for Process A to use CreateProcess() to create Process B as if it were started by the unrelated Process X. I have not tried this myself. But if I understand it correctly, it should be possible to do what you want without injecting code.
I'll take a look. I really like Raymond Chen's blogs.

PRUN.EXE (that's what it's now called) was motivated by Joe C's thread. It's now built with a newer (not too new) DevStudio. And, on Win7/32 it still crashes the target process when run by CMD or TCCv<22 (and I'm still wondering why). On Win10/64, the x64 build works from CMD, TCCv24, PowerShell, and Start\Run.