LaVOZs

The World’s Largest Online Community for Developers

'; c++ - QueueUserAPC fails with INVALID_HANDLE_VALUE - LavOzs.Com

I'm trying to inject dll into explorer.exe (simple 64bit dll that shows messagebox )

But QueueUserApc returns zero(which means error) and when I do GetLastError, it returns 6

I think something goes wrong at line 81 which calls QueueUserApc

Please help me I'm trying to solve this problem for 2 days ‍ ‍ ‍ ‍ ‍ ‍

#include <windows.h>
#include <stdio.h>
#include <WinUser.h>
#include <TlHelp32.h>
#include <vector>

using std::vector;

BOOL EnableDebugPriv() {
    HANDLE hToken;
    LUID Value;
    TOKEN_PRIVILEGES tp;
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return(GetLastError());
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Value))
        return(GetLastError());
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = Value;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL)) {
        return FALSE;
    }
    CloseHandle(hToken);
    return TRUE;
}


DWORD getPidByName(LPCSTR name, vector<DWORD> &tids) {
    DWORD pid = NULL;
    HANDLE hSnapshot = INVALID_HANDLE_VALUE;
    PROCESSENTRY32 pe;
    THREADENTRY32 te;

    pe.dwSize = sizeof(pe);
    te.dwSize = sizeof(te);
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);

    Process32First(hSnapshot, &pe);
    do {
        if (strcmp(name, pe.szExeFile) == 0) {
            pid = pe.th32ProcessID;
            if (Thread32First(hSnapshot, &te)) {
                do {
                    if (te.th32OwnerProcessID == pid) {
                        tids.push_back(te.th32ThreadID);
                    } 
                } while (Thread32Next(hSnapshot, &te));
            }
            break;
        }

    } while (Process32Next(hSnapshot, &pe));
    CloseHandle(hSnapshot);

    return pid;

}

BOOL injectDll(LPCSTR path, DWORD pid, vector<DWORD> &tids) {

    HANDLE hProcess, hThread = INVALID_HANDLE_VALUE;
    LPVOID pRemoteBuf;
    DWORD dwBufSize = lstrlen(path) + 1;
    LPTHREAD_START_ROUTINE pThreadProc;
    if (!(hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, pid))) {
        return FALSE;
    }
    if (!(pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE))) {
        return FALSE;
    }
    WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)path, dwBufSize, NULL);
    pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");

    if (pThreadProc == NULL) {
        return FALSE;
    }
    printf("tids size: %d\n", tids.size());
    for (int i = 0; i < tids.size(); i++) {
        hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, tids[i]);
        if (hThread != NULL) {
            DWORD result = QueueUserAPC((PAPCFUNC)pThreadProc, hThread, (ULONG_PTR)pRemoteBuf);
            if (result != 0) {
                printf("[*] Injection Succeed!");
            }
            else if (result == 0) {
                printf("0 RESULT\n");
                printf("result val: %d\n", result);
                printf("GetLastError: %d\n", GetLastError());
            }
            else if(hThread != INVALID_HANDLE_VALUE) {
                printf("INVALID_HANDLE_VALUE");
            }
        }
    }

    CloseHandle(hProcess);
    return TRUE;
}

int main() {

    vector<DWORD> tids;
    EnableDebugPriv();
    printf("%d", getPidByName("explorer.exe", tids));
    if (injectDll("C:\\Dll1.dll", getPidByName("explorer.exe", tids), tids)) {
        printf("[*] Finally Succeed!\n");
    }
    else {
        printf("ERROR");
    }
}
```c++
Related
Counting the total of same running processes in C++
Error while Trying to Hook “TerminateProcess” Function. Target Process crashes. Can anyone help me?
SendMessage(hwnd, registeredmssghere, 0, 1) received but not correctly recognized by hooked thread its sent to!
CreateFile() returns INVALID_HANDLE_VALUE (C++)
CreateFileMapping fails with hFile other than INVALID_HANDLE_VALUE
C++ WriteProcessMemory error INVALID_HANDLE_VALUE
iocp socket close_wait status, how to fix it?