Dll Remote thread injection of injection technology

testing environment

system :Windows 10 64bit

Injection target : win7 64bit Calculator ( This software uses habits , So I started from win7 Copy to win10 Yes )

Main ideas :

1. Use process PID Open process , Get handle

2. Use process handle to request memory space

3. hold dll Path write to memory

4. Create remote thread , call LoadLibrary

5. Release closeout or unload dll

Main function :

// Open process
  _In_  DWORD dwDesiredAccess,        // Open permissions
  _In_  BOOL bInheritHandle,               // No inheritance , fill False
  _In_  DWORD dwProcessId                // process PID

// Request memory

LPVOID WINAPI VirtualAllocEx(        
  _In_      HANDLE hProcess,                // process handle
  _In_opt_  LPVOID lpAddress,             // Specifies the address to allocate memory , fill NULL Help us find a place by default
  _In_      SIZE_T dwSize,                      // Allocated memory size
  _In_      DWORD flAllocationType,     // Do you want to apply now
  _In_      DWORD flProtect                 // The permission of the requested memory


// Write to memory
BOOL WINAPI WriteProcessMemory(
  _In_   HANDLE hProcess,                   // process handle
  _In_   LPVOID lpBaseAddress,            // The first address to write to memory (VirtualAllocEx Applied for )
  _In_   LPCVOID lpBuffer,                    // What to write ( Fill in our dll route )
  _In_   SIZE_T nSize,                            // Write size
  _Out_  SIZE_T *lpNumberOfBytesWritten    // Number of bytes actually written

// Create remote thread
HANDLE WINAPI CreateRemoteThread(
  _In_   HANDLE hProcess,                                            // process handle
  _In_   LPSECURITY_ATTRIBUTES lpThreadAttributes,   // Security attributes
  _In_   SIZE_T dwStackSize,                                         // Stack size
  _In_   LPTHREAD_START_ROUTINE lpStartAddress,     // Function called (LoadLibrary)
  _In_   LPVOID lpParameter,                                       
// Thread parameters ( Namely LoadLibrary parameter :dll route )
  _In_   DWORD dwCreationFlags,                                // Create flag
  _Out_  LPDWORD lpThreadId                                    // thread ID

Main code :
// Remote thread injection bool RemoteThreadInject(SIZE_T dwPid) { //1. use PID Open process for permission HANDLE
hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid); //2. Request memory , write in DLL route int
nLen = sizeof(WCHAR)*(wcslen(L"C:\\Win32Dll.dll") + 1); LPVOID pBuf =
if (!pBuf) { printf(" Failed to request memory !\n"); return false; } //3. Write to memory SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"C:\\Win32Dll.dll", nLen, &dwWrite)) {
printf(" Write to memory failed !\n"); return false; } //4. Create remote thread , Let the other party call LoadLibrary HANDLE
hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0); //5. Wait for the end of the thread to return , Releasing resources
WaitForSingleObject(hRemoteThread, -1); CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE); return true; }
dll Only one pop-up in the section MessageBox, Here are dll Part of the source code

Injection effect :

©2019-2020 Toolsou All rights reserved,
Final review of database : Summary of comprehensive application questions Laplance operator ( Second derivative ) Simple learning of computer composition principle pyqt Button call python program _PyQt: Link button to function in program How much can you go up once you change jobs ? Today, I saw the ceiling of job hopping python in str Function usage _python in str Usage Summary of built-in functions MySQL trigger web The server nginx---linux Installation and deployment C++ Chapter V polymorphism exercises :( It's coming to an end )python Check built-in functions , How to check python Built in function