Dll Remote thread injection of injection technology

testing environment

system :Windows 10 64bit

Injection target : win7 64bit Calculator ( This software uses habits , So I started from win7 Copy to win10 Yes )

Main ideas :

1. Use process PID Open process , Get handle

2. Use process handle to request memory space

3. hold dll Path write to memory

4. Create remote thread , call LoadLibrary

5. Release closeout or unload dll

Main function :

// Open process
  _In_  DWORD dwDesiredAccess,        // Open permissions
  _In_  BOOL bInheritHandle,               // No inheritance , fill False
  _In_  DWORD dwProcessId                // process PID

// Request memory

LPVOID WINAPI VirtualAllocEx(        
  _In_      HANDLE hProcess,                // process handle
  _In_opt_  LPVOID lpAddress,             // Specifies the address to allocate memory , fill NULL Help us find a place by default
  _In_      SIZE_T dwSize,                      // Allocated memory size
  _In_      DWORD flAllocationType,     // Do you want to apply now
  _In_      DWORD flProtect                 // The permission of the requested memory


// Write to memory
BOOL WINAPI WriteProcessMemory(
  _In_   HANDLE hProcess,                   // process handle
  _In_   LPVOID lpBaseAddress,            // The first address to write to memory (VirtualAllocEx Applied for )
  _In_   LPCVOID lpBuffer,                    // What to write ( Fill in our dll route )
  _In_   SIZE_T nSize,                            // Write size
  _Out_  SIZE_T *lpNumberOfBytesWritten    // Number of bytes actually written

// Create remote thread
HANDLE WINAPI CreateRemoteThread(
  _In_   HANDLE hProcess,                                            // process handle
  _In_   LPSECURITY_ATTRIBUTES lpThreadAttributes,   // Security attributes
  _In_   SIZE_T dwStackSize,                                         // Stack size
  _In_   LPTHREAD_START_ROUTINE lpStartAddress,     // Function called (LoadLibrary)
  _In_   LPVOID lpParameter,                                       
// Thread parameters ( Namely LoadLibrary parameter :dll route )
  _In_   DWORD dwCreationFlags,                                // Create flag
  _Out_  LPDWORD lpThreadId                                    // thread ID

Main code :
// Remote thread injection bool RemoteThreadInject(SIZE_T dwPid) { //1. use PID Open process for permission HANDLE
hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid); //2. Request memory , write in DLL route int
nLen = sizeof(WCHAR)*(wcslen(L"C:\\Win32Dll.dll") + 1); LPVOID pBuf =
if (!pBuf) { printf(" Failed to request memory !\n"); return false; } //3. Write to memory SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"C:\\Win32Dll.dll", nLen, &dwWrite)) {
printf(" Write to memory failed !\n"); return false; } //4. Create remote thread , Let the other party call LoadLibrary HANDLE
hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0); //5. Wait for the end of the thread to return , Releasing resources
WaitForSingleObject(hRemoteThread, -1); CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE); return true; }
dll Only one pop-up in the section MessageBox, Here are dll Part of the source code

Injection effect :

©2019-2020 Toolsou All rights reserved,
Forbes China Auto rich list : He xiaopengdi 11 Li Xiangdi 14 Li Bindi 15 Change one's mind ! Tesla starts to deliver made in China to European market Model 3 The difference between memory overflow and memory leak , Causes and Solutions Character recognition technology of vehicle license plate based on Neural Network Vue Transfer parameters and receiving of page Jump SparkSQL Achieve partition overlay write 1190 Reverses the substring between each pair of parentheses leetcode Note 14 : The second biggest obstacle to motivating others in R & D management Chrome OS, For programmers and Windows What does it mean ? Internet Marketing JAVA Convert a string to a numeric type