How to fix "LPVOID: unknown size" error while using the CreateRemoteThread API?

Question

I am trying create a tool for performing DLL-Injection by writing the the DLL in the Memory of a running process using VirtualAclloc() API and then finding the offset of the entrypoint and passing it to the CreateRemoteThread() API by adding the entry point offset to the base address of the VirtualAlloc function.

As I don't have any arguments that needs to be passed to lpStartAddress while calling CreateRemoteThread(), I initialized lpParameter as NULL.

LPVOID lpParameter = NULL;

...
...
thread_handle = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)(base_address + offset), lpParameter, 0, NULL);

While compiling the code I am getting the error :

LPVOID: Unknown Size" and the message "Expression must be a pointer to a complete object type.

Is there a way I can pass the value of lpParameter as NULL?

Answer 1

base_address + offset adds offset*sizeof *base_address bytes to the pointer base_address. But if the type of base_address is LPVOID then *base_address has no size, so this is an error. Have a look at the section on pointer arithmetic in your C++ book.

From the context I guess you should change base_address to be char* instead of LPVOID. Or you could add a cast like this (LPTHREAD_START_ROUTINE)((char*)base_address + offset).

Answer 2

In this case you need to follow the below process:

1. Get a handle to LoadLibraryA function in kernel32.dll
2. Allocate and Initialize memory in the address space of target process by using VirtualAllocEx
3. Write the path of the dll that you want to inject in the target processes address space by using WriteProcessMemory
4. Inject the dll by using CreateRemoteThread and pass the address of LoadLibraryA as the lpStartAddress

below is the example code:

char* dllPath = "C:\\testdll.dll";

int procID = 16092;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (!hProcess) {
    printf("Error: Process not found.\n");
}

LPVOID lpvLoadLib = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");       /*address of LoadLibraryA*/
if (!lpvLoadLib) {
    printf("Error: LoadLibraryA not found.\n");
}

LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dllPath)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);     /*Initialize and Allocate memory to zero in target process address space*/
if (!lpBaseAddress) {
    printf("Error: Memory was not allocated.\n");
}
SIZE_T byteswritten;
int result = WriteProcessMemory(hProcess, lpBaseAddress, (LPCVOID)dllPath, strlen(dllPath)+1, &byteswritten);   /*Write the path of dll to an area of memory in a specified process*/
if (result == 0) {
    printf("Error: Could not write to process address space.\n");
}

HANDLE threadID = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpvLoadLib, lpBaseAddress, NULL, NULL); /*lpStartAddress = lpvLoadLib address of LoadLibraryA function*/
if (!threadID) {
    printf("Error: Not able to create remote thread.\n");
}
else {
    printf("Remote process created...!");
}

hope this helps