c++windowswinapicreateprocesswaitforsingleobject

CreateProcessWithLogonW can't read 0xCCCCCCCC Error


I am currently trying to inject a username and password into lsass.exe with c++, i am pretty new to c++ so this might be a stupid question but it always throws me the error '0xC0000005: Access violation reading at location 0xCCCCCCCC'. Here is my code:

#include <iostream>
#include <windows.h>
#include <processthreadsapi.h>

int main()
{
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    si.dwFlags = 0x00000001;
    si.wShowWindow = 0;
    LPCWSTR userName = L"username"; // The username that will be injected into LSASS
    LPCWSTR userDomain = L"domain"; // The Logon Domain that will be injected into LSASS
    LPCWSTR userPassword = L"password"; // The User Password that will be injected into LSASS
    LPCWSTR applicationName = L"path";
    LPCWSTR currentDirectory = L"C:\\";

    bool r = CreateProcessWithLogonW(userName, userDomain, userPassword, 0x00000002, applicationName, NULL, 0x04000000, NULL, currentDirectory, &si, &pi);
    std::cout << r << std::endl;
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

I'm not sure, but in the variable list of visual studio debugger, the &pi and &si contain '0xCCCCCCCC', more specific: the hProcess and hThread of &pi both have it

I pretty much just copy-pasted the code from here: https://blog.spookysec.net/DnD-LSASS-Injection/ and it worked for them...

Thanks for any help in advance

Edit: It does run now, I have changed

STARTUPINFO si;
PROCESS_INFORMATION pi;

to

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};

but it doesn't seem like I have the rights I should have... I logged in to my own user account but couldn't even copy a file in the startup folder...


Solution

  • You need more initialization of the STARTUPINFO structure. In particular, the size of the structure. The operating system uses the size of the structure to determine what members are present. It is like a structure version.

    STARTUPINFO si = {0};
    
    si.cb = sizeof(si);