Injecting a DLL into Another Process's Address Space

This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.

To use the CreateRemoteThread() you have to follow these steps:

1. Allocate a page of memory in target for the code, via VirtualAllocEx()
2. Allocate a page of memory in target for the parameters, via VirtualAllocEx()
3. Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
4. Write the code into the target memory (#1), via WriteProcessMemory()
5. Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
6. Wait for finishing the remote thread
7. Read back the return values from the target memory
8. Free the memories with VirtualFreeEx() (#1, #2)

Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.

The attached example:

Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
       /L              Loads the module
       /U              Unloads the module
       processID       Process ID
       dllPath         Path for the module
       functionName    Called function. Mustn't have parameters

Examples:

Loads and then unloads the module for process #728
LOADDLL /L /U 728 your.dll

Loads, calls the fnTest and unloads the module for process #728
LOADDLL /L /U 728 your.dll fnTest

Call the fnTest function. The module has to be loaded to the process
LOADDLL 728 your.dll fnTest

Unload the "your.dll" from process #728
LOADDLL /U 728 your.dll

Breaks the remote process
LOADDLL 728 kernel32.dll DebugBreak

Acknowledgements

This article is based on Felix Kasza's CreateRemoteThread() example. Thanks Felix!

Downloads

Download source - 46 Kb