- May
- 13,137
- 180
I've long had this in my SYSUTILS plugin.
And at home I have a PSET.EXE which is similar (and works well). Both work by injecting data and code into the target process and calling CreateRemoteThread.
I'm trying to do something similar (hence my program is still called PSET.EXE) and get another process (of my choosing) to CreateProcess (with an EXE of my choosing). FWIW, the remote code looks like this (pData is the remote data, properly initialized, and the Beep is only there as a test).
I have met with a very odd mixture of success and failure.
This (in TCC)
works if PID was started by the current TCC (I hear the beep and notepad starts). If PID wasn't started by the current TCC, I hear the beep (something worked) and PID crashes.
Note that it ALWAYS fails from CMD, even when CMD started the target process.
It's so strange! How can it depend on how the target process was started? Does anyone have any ideas?
Thanks!
Code:
@PSET[pid,var[=[value]]]
get[unset[set]] variable in process <pid>
returns value (get/set) or var (unset) on success, else an empty string
I'm trying to do something similar (hence my program is still called PSET.EXE) and get another process (of my choosing) to CreateProcess (with an EXE of my choosing). FWIW, the remote code looks like this (pData is the remote data, properly initialized, and the Beep is only there as a test).
Code:
DWORD WINAPI remote_code( LPREMOTE_DATA pData )
{
pData->bResult = pData->pBeep(440,200);
pData->bResult = pData->pCreateProcessW(NULL, pData->szCommandLine,
NULL, NULL, TRUE, 0, NULL, NULL, &(pData->si), &(pData->pi));
return pData->bResult ? pData->pi.dwProcessId : 0;
}
I have met with a very odd mixture of success and failure.
This (in TCC)
Code:
pset.exe PID notepad
Note that it ALWAYS fails from CMD, even when CMD started the target process.
It's so strange! How can it depend on how the target process was started? Does anyone have any ideas?
Thanks!