- easyhook has RhCreateStealthRemoteThread. u can create another exported function(that ure gonna call from AHK in a single, normal DllCall) in ur dll that uses RhCreateStealthRemoteThread to invoke ur exported and injected Test function
- reimplement RhCreateStealthRemoteThread(or whichever other method of invocation u prefer) in AHK code. then, invoke ur exported and injected Test function
example, here's B for AHK
UNICODEx64 and injecting into
64bit notepad(injecting done with ProcessHacker) implemented using a plain
CreateRemoteThread:
Code: Select all
#include "Windows.h"
#include <sstream>
extern "C" __declspec(dllexport) DWORD WINAPI show_msgbox(LPVOID lpParameter)
{
std::wstringstream wss;
wss << "PID: " << GetCurrentProcessId();
return MessageBoxW(nullptr, wss.str().c_str(), L"msgbox_x64.dll!show_msgbox", MB_OK);
}
Code: Select all
#NoEnv
#Requires AutoHotkey v1.1
dllName := "msgbox_x64.dll"
hOurModule := DllCall("LoadLibrary", "Str", dllName, "Ptr") ; load into our address space, get module address
pOurMsgbox := DllCall("GetProcAddress", "Ptr", hOurModule, "AStr", "show_msgbox", "Ptr") ; find function and get its address
offset := pOurMsgbox - hOurModule ; compute the function's relative offset
; base addr of SAME injected dll inside target process + relative offset = address of the func in the target process
pInjectedMsgbox := getModuleBaseAddress(injecteePID, dllName) + offset
; hProcess handle needed later for CreateRemoteThread
WinGet injecteePID, PID, ahk_exe notepad.exe
hInjecteeProcess := DllCall("OpenProcess", "UInt", 0x1FFFFF, "Int", false, "UInt", injecteePID, "Ptr") ; PROCESS_ALL_ACCESS
; the function to call has to have the THREADPROC signature for CreateRemoteThread to be able to invoke it properly
hInvokingThread := DllCall("CreateRemoteThread", "Ptr", hInjecteeProcess, "Ptr", 0, "Ptr", 0, "Ptr", pInjectedMsgbox, "Ptr", 0, "UInt", 0, "UInt*", 0, "Ptr")
getModuleBaseAddress(pid, moduleName) { ; unicode x64 ONLY
hSnap := DllCall("CreateToolhelp32Snapshot", "UInt", 0x18, "UInt", pid, "Ptr") ; TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32
if (hSnap = -1) ; INVALID_HANDLE_VALUE
throw Exception("createSnapshot failed", -1, A_LastError)
VarSetCapacity(me32, 1080) ; MODULEENTRY32W x64
NumPut(1080, me32, "UInt") ; cbSize
if DllCall("Module32FirstW", "Ptr", hSnap, "Ptr", &me32)
{
Loop
{
if (moduleName = StrGet(&me32 + 48, "UTF-16")) ; szModule x64
{
modBaseAddr := NumGet(me32, 24, "Ptr") ; modBaseAddr x64
break
}
} until !DllCall("Module32NextW", "Ptr", hSnap, "Ptr", &me32)
}
DllCall("CloseHandle", "Ptr", hSnap)
if (modBaseAddr = "")
throw Exception("no such module found in PID=" pid, -1, moduleName)
return modBaseAddr
}
rewrite with error handling in ur own code
Im trying to 'communicate' with the Test function that is injected in the target pid.
explain what u need to "communicate", how, what application, what data, what bitness, why
depending on the answer, the solutions are numerous