Hello, I have a process that has a CtrlBreak handler by calling SetConsoleCtrlHandler. This handler listens for CTRL_BREAK_EVENT and performs some action (without quitting). This process is not attached to a console. Let's call this the target process.
Next, I have written a separate program which takes a PID and I'd like to start a remote thread at the address of kernel*!CtrlRoutine so that the CtrlBreak handler of the target process is executed, e.g.:
hRemoteThread=CreateRemoteThread(hRemoteProc, NULL, 0, (LPTHREAD_START_ROUTINE)dwEntryPoint, (void *)CTRL_BREAK_EVENT, CREATE_SUSPENDED, NULL); ResumeThread(hRemoteThread)
The problem is, how do I find the address of kernel*!CtrlRoutine in the remote process (dwEntryPoint)? I'd like this to work on 64bit. I saw an example where a program registered its own CtrlBreakHandler, then walked up the stack using __asm to get the address, but there are two questions: 1) __asm isn't supported by 64bit Visual C++ compiler, so is there an alternative way to do this? _AddressOfReturnAddress doesn't seem viable, and 2) Would this even work with ASLR etc? That is to say, if I have the address of CtrlRoutine in one virtual address space, will it necessarily be the same in the other?
Just to note, I cannot recompile the target process, so I have to do this without modifying the target process.
Thanks!