Injecting A DLL Into Another Process’s Address Space

Published on: January 21, 2001
Last Updated: January 21, 2001

Injecting A DLL Into Another Process’s Address Space

Published on: January 21, 2001
Last Updated: January 21, 2001

This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.

To use the CreateRemoteThread() you have to follow these steps:

  • Allocate a page of memory in target for the code, via VirtualAllocEx()
  • Allocate a page of memory in target for the parameters, via VirtualAllocEx()
  • Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
  • Write the code into the target memory (#1), via WriteProcessMemory()
  • Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
  • Wait for finishing the remote thread
  • Read back the return values from the target memory
  • Free the memories with VirtualFreeEx() (#1, #2)

Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.

The attached example:

Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
       /L              Loads the module
       /U              Unloads the module
       processID       Process ID
       dllPath         Path for the module
       functionName    Called function. Mustn't have parameters

Examples:

Loads and then unloads the module for process #728
LOADDLL /L /U 728 your.dll

Loads, calls the fnTest and unloads the module for process #728
LOADDLL /L /U 728 your.dll fnTest

Call the fnTest function. The module has to be loaded to the process
LOADDLL 728 your.dll fnTest

Unload the "your.dll" from process #728
LOADDLL /U 728 your.dll

Breaks the remote process
LOADDLL 728 kernel32.dll DebugBreak

Acknowledgements

This article is based on Felix Kasza’s CreateRemoteThread() example. Thanks Felix!

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Bobby

Bobby Lawson is a seasoned technology writer with over a decade of experience in the industry. He has written extensively on topics such as cybersecurity, cloud computing, and data analytics. His articles have been featured in several prominent publications, and he is known for his ability to distill complex technical concepts into easily digestible content.