This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.
To use the CreateRemoteThread() you have to follow these steps:
- Allocate a page of memory in target for the code, via VirtualAllocEx()
- Allocate a page of memory in target for the parameters, via VirtualAllocEx()
- Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
- Write the code into the target memory (#1), via WriteProcessMemory()
- Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
- Wait for finishing the remote thread
- Read back the return values from the target memory
- Free the memories with VirtualFreeEx() (#1, #2)
Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.
The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName] /L Loads the module /U Unloads the module processID Process ID dllPath Path for the module functionName Called function. Mustn't have parameters
Examples:
Loads and then unloads the module for process #728 LOADDLL /L /U 728 your.dll Loads, calls the fnTest and unloads the module for process #728 LOADDLL /L /U 728 your.dll fnTest Call the fnTest function. The module has to be loaded to the process LOADDLL 728 your.dll fnTest Unload the "your.dll" from process #728 LOADDLL /U 728 your.dll Breaks the remote process LOADDLL 728 kernel32.dll DebugBreak
Acknowledgements
This article is based on Felix Kasza’s CreateRemoteThread() example. Thanks Felix!
Related
Stay on top of the latest technology trends — delivered directly to your inbox, free!
Subscription Form Posts
Don't worry, we don't spam
Latest Stories
Secure your digital life with NordVPN
- Privacy on any Wi-Fi
- Malware protection
- One account, six devices
- 5,500+ servers in 59 countries