Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Tough (?) programming question

May
12,846
164
I've long had this in my SYSUTILS plugin.
Code:
@PSET[pid,var[=[value]]]
get[unset[set]] variable in process <pid>
returns value (get/set) or var (unset) on success, else an empty string
And at home I have a PSET.EXE which is similar (and works well). Both work by injecting data and code into the target process and calling CreateRemoteThread.

I'm trying to do something similar (hence my program is still called PSET.EXE) and get another process (of my choosing) to CreateProcess (with an EXE of my choosing). FWIW, the remote code looks like this (pData is the remote data, properly initialized, and the Beep is only there as a test).
Code:
DWORD WINAPI remote_code( LPREMOTE_DATA pData )
{
    pData->bResult = pData->pBeep(440,200);
    pData->bResult = pData->pCreateProcessW(NULL, pData->szCommandLine,
            NULL, NULL, TRUE, 0, NULL, NULL, &(pData->si), &(pData->pi));
    return pData->bResult ? pData->pi.dwProcessId : 0;
}

I have met with a very odd mixture of success and failure.

This (in TCC)
Code:
pset.exe PID notepad
works if PID was started by the current TCC (I hear the beep and notepad starts). If PID wasn't started by the current TCC, I hear the beep (something worked) and PID crashes.

Note that it ALWAYS fails from CMD, even when CMD started the target process.

It's so strange! How can it depend on how the target process was started? Does anyone have any ideas?

Thanks!
 
I had that a bit wrong. My testing was with TCCv13 (started by a very old DevStudio).
Code:
pset.exe PID notepad

In fact, PSET.EXE fails when run from TCC version < 22 (or CMD). It works when run from TCC version >= 22 (and from Start\Run).

I still don't get it. Why should it depend on who starts PSET.EXE?
 
All the talk about launching an un-elevated process from an elevated TCC reminded me of a post in Raymond Chen's blog a few months back:

Apparently it's possible for Process A to use CreateProcess() to create Process B as if it were started by the unrelated Process X. I have not tried this myself. But if I understand it correctly, it should be possible to do what you want without injecting code.
 
All the talk about launching an un-elevated process from an elevated TCC reminded me of a post in Raymond Chen's blog a few months back:

Apparently it's possible for Process A to use CreateProcess() to create Process B as if it were started by the unrelated Process X. I have not tried this myself. But if I understand it correctly, it should be possible to do what you want without injecting code.
I'll take a look. I really like Raymond Chen's blogs.

PRUN.EXE (that's what it's now called) was motivated by Joe C's thread. It's now built with a newer (not too new) DevStudio. And, on Win7/32 it still crashes the target process when run by CMD or TCCv<22 (and I'm still wondering why). On Win10/64, the x64 build works from CMD, TCCv24, PowerShell, and Start\Run.
 
Wow, that's cool, and easy ... Raymond's code was almost plug-n-play. It worked the first time after about 10 minutes work.
 
Oh good. I've been meaning to try that myself -- I have a use for it. Just never got around to it.
 

Similar threads

Back
Top