Injecting a DLL into Another Process's Address Space

This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.

To use the CreateRemoteThread() you have to follow these steps:

  1. Allocate a page of memory in target for the code, via VirtualAllocEx()
  2. Allocate a page of memory in target for the parameters, via VirtualAllocEx()
  3. Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
  4. Write the code into the target memory (#1), via WriteProcessMemory()
  5. Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
  6. Wait for finishing the remote thread
  7. Read back the return values from the target memory
  8. Free the memories with VirtualFreeEx() (#1, #2)

Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.

The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
       /L              Loads the module
       /U              Unloads the module
       processID       Process ID
       dllPath         Path for the module
       functionName    Called function. Mustn't have parameters

Examples:

Loads and then unloads the module for process #728
LOADDLL /L /U 728 your.dll

Loads, calls the fnTest and unloads the module for process #728
LOADDLL /L /U 728 your.dll fnTest

Call the fnTest function. The module has to be loaded to the process
LOADDLL 728 your.dll fnTest

Unload the "your.dll" from process #728
LOADDLL /U 728 your.dll

Breaks the remote process
LOADDLL 728 kernel32.dll DebugBreak

Acknowledgements

This article is based on Felix Kasza's CreateRemoteThread() example. Thanks Felix!

Downloads

Download source - 46 Kb


Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Microsoft® Office 365 is a top choice for enterprises that want a cloud-based suite of productivity/ collaboration applications. With Office 365, you get access to Microsoft™ Office solutions practically anytime, anywhere, on virtually any device. It's a great option for current Microsoft users who can now build on their experience with Microsoft™ solutions while enjoying the flexibility of a cloud-based delivery. But even organizations with no previous investment in Microsoft will find that …

  • Live Event Date: July 28, 2016 @ 1:00 p.m. ET / 10:00 a.m. PT Jepsen tests are third-party tests for distributed databases that validate vendors' guarantees about how they perform under various failure scenarios, especially network partitions. These have proven their value as tools in any distributed system tester's arsenal. When the creator of Jepsen, Kyle Kingsbury, started his Jepsen-for-Hire business last fall, VoltDB immediately got in line, and over the past two months, our solution was given the most …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date