DLL code injection with remote Thread: Where to store DLL filename/location in target process address space?

1
votes

there might be no (useful) answere to this Questions, but whatever. I want to inject code into an application via DLL code injection. The plan is:

  1. Find the address of the LoadLibrary function in the target process.

  2. Write a string with the name/filepath of the DLL i want to load using WriteProcessMemory() somewhere in the target process address space.

  3. Start a remote thread using CreateRemoteThread() with the address of LoadLibrary() as entry point and a pointer to the string containing the name/filepath of the DLL to be loaded as the Argument for the LoadLibrary() function.

The problem is at no. 2. Where in the target process address space do i store the string (without corrupting something)?

If this question has been asked before, feel free to point me there.

Thanks a lot for any help.

1
cdllcode-injectioncreateremotethread

1 Answers

1
votes

VirtualAllocEx allows you to specify the process in which memory is allocated. You would use this to allocate a block of memory. Note that you cannot write directly to the returned address--it is in a different process. You would write the DLL name via WriteProcessMemory.

If you were intending to place your code in DllMain, you should not. Windows holds an internal lock while executing DllMain and this adds a risk of a deadlock, depending on what you intend to do in your hook code. You could get the address of a function in your DLL and use CreateRemoteThread again to run this on a separate thread after the DLL has been loaded.

Rather than implementing all this yourself, I would recommend that you use a library someone has already written, such as EasyHook, which supports both managed and unmanaged injection.