How is it possible to get the return code of the executable?

[ghost]

Hi,

First, congrats for your excellent job. I decided to use your code with a .dll files. I allowed me to execute my code, but the execution stopped after the execution, which means I cannot get the exit code, or do more actions.

Even in your code, when I use your executable (runshc.exe) with my code, the execution stop before your code line" the shellcode finished with a return value: ", which means there is a problem here. I tried with a sample putty.exe executable and the results is the same..

Can you help me with this?

[hasherezade]

Hi!
The problems is, many applications call ExitProcess or some equivalent of it, which just terminates the whole process. That's why once you enter into the new application (as to a shellcode) it will never return back to the caller.

There is no generic solution for this problem, but some workarounds are possible for specific cases. You can, i.e. trace the application to see which function caused it to terminate, and then patch this function: by API hooking, or by binary patching of the original binary. What exactly solution can be applied depends on your usecase. Unfortunately it cannot be solved in a perfect way, but just by some hacks like this.

[ghost]

Hi,
Thank you for ypour comment, but I must admit that I'm quite surprised, since your app since to want to keep going after the execution.
Thank you for the tips, I will work on it.
BR

[ghost]

So,
I search for ExitProcess who seems to be nice solution, but if I don't understand why it's not easy to get an HANDLE of the new execution?
Does that mean that It will be easy to track which executable start the new shellcode executable?
If the second solution to use windows API tracker exists, it should mean that windows AV should be able to identify where this new execution is coming?