Injecting Ctrl+C into target process

Question

Hello, I have a process that has a CtrlBreak handler by calling SetConsoleCtrlHandler. This handler listens for CTRL_BREAK_EVENT and performs some action (without quitting). This process is not attached to a console. Let's call this the target process.

Next, I have written a separate program which takes a PID and I'd like to start a remote thread at the address of kernel*!CtrlRoutine so that the CtrlBreak handler of the target process is executed, e.g.:

hRemoteThread=CreateRemoteThread(hRemoteProc, NULL, 0,
     (LPTHREAD_START_ROUTINE)dwEntryPoint,
     (void *)CTRL_BREAK_EVENT, CREATE_SUSPENDED, NULL);
    ResumeThread(hRemoteThread);

The problem is, how do I find the address of kernel*!CtrlRoutine in the remote process (dwEntryPoint)?

I saw an example where a program registered its own CtrlBreakHandler, then walked up the stack using __asm to get the address, but this code doesnt work correctly on Windows 2008 Server.

Just to note, I cannot recompile the target process, so I have to do this without modifying the target process.

Answer 1

You can use DLL injection technique to achieve this. You do it by first creating a DLL whose DLLMain, registers the Ctrl-break Handler. Then you open the target process and write the path to your DLL in its address space using VirtualAllocEx and WriteProcessMemory. Then you launch a remote thread in the target process with LoadLibrary as the entry point and the address of the DLL path as the parameter.

This causes your DLL to be loaded in the target process and DLLMain to be called which will register the CtrlHandler.

You can do all the above things only if your application has privilages to write into target process.

You may refer to this link for the sample code.