0

I am currently trying to inject a username and password into lsass.exe with c++, i am pretty new to c++ so this might be a stupid question but it always throws me the error '0xC0000005: Access violation reading at location 0xCCCCCCCC'. Here is my code:

#include <iostream>
#include <windows.h>
#include <processthreadsapi.h>

int main()
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    si.dwFlags = 0x00000001;
    si.wShowWindow = 0;
    LPCWSTR userName = L"username"; // The username that will be injected into LSASS
    LPCWSTR userDomain = L"domain"; // The Logon Domain that will be injected into LSASS
    LPCWSTR userPassword = L"password"; // The User Password that will be injected into LSASS
    LPCWSTR applicationName = L"path";
    LPCWSTR currentDirectory = L"C:\\";

    bool r = CreateProcessWithLogonW(userName, userDomain, userPassword, 0x00000002, applicationName, NULL, 0x04000000, NULL, currentDirectory, &si, &pi);
    std::cout << r << std::endl;
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

I'm not sure, but in the variable list of visual studio debugger, the &pi and &si contain '0xCCCCCCCC', more specific: the hProcess and hThread of &pi both have it

I pretty much just copy-pasted the code from here: https://blog.spookysec.net/DnD-LSASS-Injection/ and it worked for them...

Thanks for any help in advance

Edit: It does run now, I have changed

STARTUPINFO si;
PROCESS_INFORMATION pi;

to

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};

but it doesn't seem like I have the rights I should have... I logged in to my own user account but couldn't even copy a file in the startup folder...

LetsDuck
  • 41
  • 4
  • 1
    You might want to consider the MSDN example [`CreateProcessWithLogonW`](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw). Especially where `si` and `pi` are initialized. And the error handling, which MSDN has and Spookysec doesn't. – Eljay Jun 03 '22 at 15:41
  • *I pretty much just copy-pasted the code from here:* -- If you did actually copy and paste the exact code, I hate to break the news to you, but the code is broken. The `si` variable is uninitialized. Are you sure the place where you copied this from didn't do a `ZeroMemory`, `memset`, or maybe `STARTUPINFO si = {};`, and you failed to do this? – PaulMcKenzie Jun 03 '22 at 15:45
  • 1
    0xCCCCCCCC is defined undefined behavior for the MSVC compiler. Tells you that the program is using an uninitialized variable. STARTUPINFO is not initialized. And you must check the return value for failure, std::cout isn't good enough to stop the program from failing. – Hans Passant Jun 03 '22 at 15:45
  • [When and why will a compiler initialise memory to 0xCD, 0xDD, etc. on malloc/free/new/delete?](https://stackoverflow.com/q/370195/995714). 0xCC is uninitialized memory – phuclv Jun 03 '22 at 15:50
  • Also, if you actually did copy the code, and the code at that site didn't initialize the memory, and the code "worked" for them, this is why undefined behavior is sometimes not easy to detect. The `STARTUPINFO` has a lot more members than the two your code sets. What values will those member variables have if you don't set them? `¯\_(ツ)_/¯`. The Windows API doesn't know the difference whether you set them or not, it will use them. This is why uninitialized structures that are used in WinAPI calls results in Windows programs to act erratically. – PaulMcKenzie Jun 03 '22 at 15:51
  • I can create the process now, but that process doesn't have any permissions... – LetsDuck Jun 03 '22 at 16:59

1 Answers1

3

You need more initialization of the STARTUPINFO structure. In particular, the size of the structure. The operating system uses the size of the structure to determine what members are present. It is like a structure version.

STARTUPINFO si = {0};

si.cb = sizeof(si);
Jim Rhodes
  • 5,021
  • 4
  • 25
  • 38