This sample shows how to use the CreateRemoteThread() function to load a DLL to another process memory.
To use the CreateRemoteThread() you have to follow these steps:
- Allocate a page of memory in target for the code, via VirtualAllocEx()
- Allocate a page of memory in target for the parameters, via VirtualAllocEx()
- Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
- Write the code into the target memory (#1), via WriteProcessMemory()
- Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
- Wait for finishing the remote thread
- Read back the return values from the target memory
- Free the memories with VirtualFreeEx() (#1, #2)
Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.
The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
/L Loads the module
/U Unloads the module
processID Process ID
dllPath Path for the module
functionName Called function. Mustn't have parameters
Examples:
Loads and then unloads the module for process #728 LOADDLL /L /U 728 your.dll Loads, calls the fnTest and unloads the module for process #728 LOADDLL /L /U 728 your.dll fnTest Call the fnTest function. The module has to be loaded to the process LOADDLL 728 your.dll fnTest Unload the "your.dll" from process #728 LOADDLL /U 728 your.dll Breaks the remote process LOADDLL 728 kernel32.dll DebugBreak
Acknowledgements
This article is based on Felix Kasza’s CreateRemoteThread() example. Thanks Felix!
Stay on top of the latest technology trends — delivered directly to your inbox, free!
Subscription Form Posts
Don't worry, we don't spam
YOU MAY ALSO LIKE
Latest Stories
Secure your digital life with NordVPN
- Privacy on any Wi-Fi
- Malware protection
- One account, six devices
- 5,500+ servers in 59 countries
