Comments on: CreateRemoteThread, Vista and separate sessions

By: Chris

Chris — Sat, 16 Aug 2008 22:58:48 +0000

If this process resets its winsta or desktop, you have no chance to find it without creating a process and let it look in every available winstas and desktops for the window you are looking for.

By: Oliver

Oliver — Sat, 26 Jul 2008 13:49:19 +0000

Aaah, indeed. That might work.

By: carlos

carlos — Sat, 26 Jul 2008 13:38:32 +0000

I was thinking NtQueryInformationProcess(…ProcessBasicInformation…).

By: Oliver

Oliver — Sat, 26 Jul 2008 13:06:00 +0000

Wasn’t that at a random address now in Vista? So I’d still have to check the fs:0 address within the context of the remote thread/process?!

By: carlos

carlos — Sat, 26 Jul 2008 13:00:21 +0000

well there is no documented way but i don’t think it requires to run code in the remote process, maybe you can get the winsta\desktop name from peb->ProcessParameters->DesktopInfo

By: Oliver

Oliver — Sat, 26 Jul 2008 10:03:14 +0000

Ahh i see i missunderstod you, but are you sure that getting the desktop/winsta, requires to run code in the remote process?

Frankly, I didn’t find a documented way. Obviously the flaw must be in me or the documentation then

If you found a method, go ahead and tell. Although the problem has been solved, it would be nice to refine it in this point.

By: carlos

carlos — Sat, 26 Jul 2008 05:04:03 +0000

Ahh i see i missunderstod you, but are you sure that getting the desktop/winsta, requires to run code in the remote process?

By: Oliver

Oliver — Fri, 25 Jul 2008 09:15:29 +0000

GetTokenInformation tells you only the session (and there are other functions to retrieve this as well), however, getting the desktop/winsta, requires to run code in the remote process, so you’re back at step one.

By: Oliver

Oliver — Fri, 25 Jul 2008 09:14:06 +0000

Carlos, the problem is, to find out in which exact desktop the other process is in the target session. If it is the default desktop, everything will be fine, otherwise there really doesn’t seem to be any documented way.

To elaborate on the scenario: I wanted to start a GUI program under the session of which I knew that it ran some other program already. So injection was a natural choice.

And no, haven’t tried libs from EliCZ.

By: carlos

carlos — Fri, 25 Jul 2008 08:37:30 +0000

Also have you tried elicz libs?