Good day.
I've made a DLL in which I export a function. I attach the DLL to a process and then I want to call that function in that process space from another process.
Here's the exported function:
__declspec(dllexport) DWORD WINAPI doSomething(LPVOID param)
{
MessageBox(NULL, "doSomething()", "", 0);
if (Switch::getInstance().currentStatus() == ON) {
Switch::getInstance().switchOff();
} else {
Switch::getInstance().switchOn();
}
return 0;
}
I figured it could be done the same way you do DLL injection so I just went ahead and made a small test app like this:
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, TARGET_PROCESS_PID);
assert(hProcess != NULL);
HMODULE dllModule = LoadLibrary("Switch.dll");
assert(dllModule != NULL);
FARPROC functionStart = GetProcAddress(dllModule, "?doSomething@@YGKPAX@Z");
assert(functionStart != NULL);
assert(CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)functionStart, NULL, 0, NULL) != NULL);
printf("Switch toggled\n");
getchar();
FreeLibrary(dllModule);
CloseHandle(hProcess);
The idea is that instead of supplying the address of LoadLibrary (the way it's done during dll injection) to CreateRemoteThread I supply the address to my function.
Anyway, I inject the dll into the target process and then run the above code but the target proces crashes with 0xC0000005 error code (access violation if I'm not wrong).
Any ideas what's wrong?
Submit an article or tip