This sample shows how to use the CreateRemoteThread() function to load a DLL
to another process memory.
To use the CreateRemoteThread() you have to follow these steps:
- Allocate a page of memory in target for the code, via VirtualAllocEx()
- Allocate a page of memory in target for the parameters, via VirtualAllocEx()
- Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
- Write the code into the target memory (#1), via WriteProcessMemory()
- Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
- Wait for finishing the remote thread
- Read back the return values from the target memory
- Free the memories with VirtualFreeEx() (#1, #2)
Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.
The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName] /L Loads the module /U Unloads the module processID Process ID dllPath Path for the module functionName Called function. Mustn't have parameters
Examples:
Loads and then unloads the module for process #728 LOADDLL /L /U 728 your.dll Loads, calls the fnTest and unloads the module for process #728 LOADDLL /L /U 728 your.dll fnTest Call the fnTest function. The module has to be loaded to the process LOADDLL 728 your.dll fnTest Unload the "your.dll" from process #728 LOADDLL /U 728 your.dll Breaks the remote process LOADDLL 728 kernel32.dll DebugBreak
Acknowledgements
This article is based on
Felix Kasza’s CreateRemoteThread() example.
Thanks Felix!