Injecting a DLL into Another Process's Address Space

This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.

To use the CreateRemoteThread() you have to follow these steps:

  1. Allocate a page of memory in target for the code, via VirtualAllocEx()
  2. Allocate a page of memory in target for the parameters, via VirtualAllocEx()
  3. Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
  4. Write the code into the target memory (#1), via WriteProcessMemory()
  5. Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
  6. Wait for finishing the remote thread
  7. Read back the return values from the target memory
  8. Free the memories with VirtualFreeEx() (#1, #2)

Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.

The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
       /L              Loads the module
       /U              Unloads the module
       processID       Process ID
       dllPath         Path for the module
       functionName    Called function. Mustn't have parameters

Examples:

Loads and then unloads the module for process #728
LOADDLL /L /U 728 your.dll

Loads, calls the fnTest and unloads the module for process #728
LOADDLL /L /U 728 your.dll fnTest

Call the fnTest function. The module has to be loaded to the process
LOADDLL 728 your.dll fnTest

Unload the "your.dll" from process #728
LOADDLL /U 728 your.dll

Breaks the remote process
LOADDLL 728 kernel32.dll DebugBreak

Acknowledgements

This article is based on Felix Kasza's CreateRemoteThread() example. Thanks Felix!

Downloads

Download source - 46 Kb


Comments

  • Working in VistaX64?

    Posted by GalaticDan on 09/30/2009 06:27am

    I had to change the flags on OpenProcess(...) to PROCESS_ALL_ACCESS otherwise CreateRemoteThread fails with 5 (access denied). Not sure which extra flags are required so all sounds ok?

    Reply
  • Can this method be used to copy a Bitmap in another process?

    Posted by Legacy on 11/17/2003 12:00am

    Originally posted by: Jim White


    I have a handle to a bitmap in another process. If it was in my process I could get a copy via GetObject(hBitmap), but this doesn't work across processes (I thought GDI objects WERE global, but clearly I'm wrong).

    Can this injection technqiue solve my problem?

    Any advice/comments would be gratefully received!!

    Reply
  • Windows XP

    Posted by Legacy on 08/28/2003 12:00am

    Originally posted by: Mangos

    I need this example to run on Windows XP. What is needed to change?

    Reply
  • Excellent sample

    Posted by Legacy on 05/19/2003 12:00am

    Originally posted by: Real Programmer

    Thanks for an excellent foundation for this sort of thing! This saved me lots of time.

    I implemented another reader's suggestion to call GetLastError instead of "? 0 : 1", but let's face it, you usually know what the error is ;)

    The code did not work in debug mode in my project, as taking the address of a function yieled the address of a jmp table entry instead of the function itself. I'm not sure what option this is, but it should probably be mentioned alongside /GZ.

    (I took a much more brute force approach... if RemoteThread() is called with NULL, it returns the current eip. By comparing this result with the address of the function, I can tell if I have to do function import fixup or not.)

    I also rigged mine to work by exe name instead of process id, but that belongs in a psapi sample :)

    Thanks again

    Reply
  • Retrive a control's object From other application

    Posted by Legacy on 03/10/2002 12:00am

    Originally posted by: Shanu

    I want to retrive a control's object( to retrive it's properties) which is lying in other application . I have hooked this application' process by a dll .
    I am getting all the properties of the control if the application(In which control resides) is writeen in VC++,
    But on VB based application I am not getting the poperties.
    Why is it so?
    Is there any way possible.

    Regards,
    Shailesh

    Reply
  • Fine but How To acess objects in a process

    Posted by Legacy on 03/08/2002 12:00am

    Originally posted by: James

    How To acess objects in a process

    I want to retrive a control's object to retrive it's properties, which is lying in other application .What I managed to do is hooking up this application' process by a dll .Now I could send messages to this contol ,but How to get the acess the contol's object to retrive it's properties directly.

    Regards
    James

    Reply
  • Injecting code into system processes

    Posted by Legacy on 12/04/2001 12:00am

    Originally posted by: Shawn Van Ness


    Just wanted to post these two emails here, for completeness' sake! Read from bottom to top. ;)

    -S

    -----Original Message-----
    From: Shawn Van Ness
    Sent: Tuesday, 04 December, 2001 15:07
    To: 'zoltan_csizmadia@yahoo.com'
    Subject: RE: trying to inject a dll into winlogon.exe


    Actually, it works perfectly! My "problem" was this: WinLogon.exe has a different environment (think: different path, different cwd, etc)... it just wasn't finding my .dll!

    Because it's so hard to debug the failure of a remote-thread, you should really have set the error code to GetLastError(), instead of just 0 or 1. :-/

    IOW,
    execBlock->ErrorLoad = *execBlock->fnGetLastError)();
    instead of
    //execBlock->ErrorLoad = execBlock->hModule != NULL ? 0 : 1;

    For fun, try it -- inject the supplied TestLib.dll (which calls MessageBox) into your winlogon.exe process... tip: you must copy it into your system-path.

    Were is the messagebox? Just press Ctrl+Alt+Del to peek at the "Winlogon" desktop -- there it is, tucked partially behind the "Windows Security" dialog!

    TOO COOL!
    -S


    -----Original Message-----
    From: Shawn Van Ness
    Sent: Tuesday, 04 December, 2001 12:54
    To: 'zoltan_csizmadia@yahoo.com'
    Subject: trying to inject a dll into winlogon.exe


    Hi Zoltan,

    I just came across your dll-injection example [1]... It's excellent -- thanks!

    I was wondering if you have any thoughts on injecting code into processes that are running as different user accounts, on different winstations, etc.

    Specifically, I'm trying to inject code into winlogon.exe, and I'm having a bit of trouble... your testlib, anyway, had this to say to me:

    C:\etc\LoadDll\bin>LoadDll.exe /l /u 508 TestLib.dll TestFunction
    Loading "TestLib.dll": Couldn't load
    Calling "TestFunction": Couldn't find
    Freeing "TestLib.dll": Couldn't free

    However, I am able to attach a debugger (VS7) to winlogon.exe, and break execution, look at memory, etc. I see your LoadDll.exe acquires the SeDebug privilege -- so I expected it would work!?

    Any thoughts?

    Cheers,
    -S

    [1] http://www.codeguru.com/dll/LoadDll.shtml

    Reply
  • Injecting a DLL In Windows9x

    Posted by Legacy on 10/21/2001 12:00am

    Originally posted by: HellSpawn

    Does this source code only work for systems running Windows NT/2000? If so would you have any other code snippets that I could use in order to inject a DLL into a process running on a Windows 9x box? Thanks

    Reply
  • ooops!!!i have to do some thing more

    Posted by Legacy on 05/28/2001 12:00am

    Originally posted by: kuchnaheen

    Good Work!!!!

    in normal thread creation we never allocate memory in process for thered, why do we need that for remote creation....(i have also done the same thing....not as cleanly as u did but have it done....now i am improving my code...thanx to u)to me the reason is the requirement of createremotethread()(at least i have done coz of the function requirements)....but what if this created thread outs another thread....i mean if injected dll creates another thread by normal createthread() function.....in which process memory would the new thread will execute....the process that injects the dll or the target process(to me the target process)....if target process than what are the possibilities of crash as no memeory is allocated for the new thread....now i am trying to do that....till now with no problems.....my thread is working nicely....but it will be cool...if some one like u can assure me the thing

    thank u very much for the code....n more thanx in advance if u can guide me a little further on this thread issue

    cheers

    kuchnaheen

    Reply
  • Sense of that?

    Posted by Legacy on 04/23/2001 12:00am

    Originally posted by: Christoph Platz

    Hi there!

    I already read about that in one of Jeffrey Richters books (MS Press). It sounds cool but I haven't understand for what the hell this could be used....!

    Can anyone explain? I really dont know why my app should load a DLL into the address space of another process :)

    Thank for any hints !
    Christoph

    Reply
  • Loading, Please Wait ...

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: October 29, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you interested in building a cognitive application using the power of IBM Watson? Need a platform that provides speed and ease for rapidly deploying this application? Join Chris Madison, Watson Solution Architect, as he walks through the process of building a Watson powered application on IBM Bluemix. Chris will talk about the new Watson Services just released on IBM bluemix, but more importantly he will do a step by step cognitive …

  • Live Event Date: November 13, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT APIs can be a great source of competitive advantage. The practice of exposing backend services as APIs has become pervasive, however their use varies widely across companies and industries. Some companies leverage APIs to create internal, operational and development efficiencies, while others use them to drive ancillary revenue channels. Many companies successfully support both public and private programs from the same API by varying levels …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds