This sample shows how to use the CreateRemoteThread() function to load a DLL
to another process memory.
To use the CreateRemoteThread() you have to follow these steps:
- Allocate a page of memory in target for the code, via VirtualAllocEx()
- Allocate a page of memory in target for the parameters, via VirtualAllocEx()
- Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
- Write the code into the target memory (#1), via WriteProcessMemory()
- Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
- Wait for finishing the remote thread
- Read back the return values from the target memory
- Free the memories with VirtualFreeEx() (#1, #2)
Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.
The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
/L Loads the module
/U Unloads the module
processID Process ID
dllPath Path for the module
functionName Called function. Mustn't have parameters
Examples:
Loads and then unloads the module for process #728
LOADDLL /L /U 728 your.dll
Loads, calls the fnTest and unloads the module for process #728
LOADDLL /L /U 728 your.dll fnTest
Call the fnTest function. The module has to be loaded to the process
LOADDLL 728 your.dll fnTest
Unload the "your.dll" from process #728
LOADDLL /U 728 your.dll
Breaks the remote process
LOADDLL 728 kernel32.dll DebugBreak
Acknowledgements
This article is based on
Felix Kasza’s CreateRemoteThread() example.
Thanks Felix!