CodeGuru content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
This sample shows how to use the CreateRemoteThread() function to load a DLL
to another process memory.
To use the CreateRemoteThread() you have to follow these steps:
- Allocate a page of memory in target for the code, via VirtualAllocEx()
- Allocate a page of memory in target for the parameters, via VirtualAllocEx()
- Write the name of the DLL (and other parameters) into the target memory (#2), via WriteProcessMemory()
- Write the code into the target memory (#1), via WriteProcessMemory()
- Call CreateRemoteThread(), passing it the address of the function (#2) and the allocated parameter memory (#2)
- Wait for finishing the remote thread
- Read back the return values from the target memory
- Free the memories with VirtualFreeEx() (#1, #2)
Before you want to allocate memory in the target address space you have to have and enable the SeDebugPrivilege.
The attached example:
Usage: LOADDLL [/L] [/U] processID dllPath [functionName]
/L Loads the module
/U Unloads the module
processID Process ID
dllPath Path for the module
functionName Called function. Mustn't have parameters
Examples:
Loads and then unloads the module for process #728 LOADDLL /L /U 728 your.dll Loads, calls the fnTest and unloads the module for process #728 LOADDLL /L /U 728 your.dll fnTest Call the fnTest function. The module has to be loaded to the process LOADDLL 728 your.dll fnTest Unload the "your.dll" from process #728 LOADDLL /U 728 your.dll Breaks the remote process LOADDLL 728 kernel32.dll DebugBreak
Acknowledgements
This article is based on
Felix Kasza’s CreateRemoteThread() example.
Thanks Felix!
