DLL Injection

DLL Injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.

Creating a DLL project:

First things first, we need to have a dll to inject into a running process.

Create header file to the DLL

We'll start by creating a header file to declare the functions our DLL exports. We'll call it Inject.h.

This is the most basic example. We define a "INJECT_API" preprocessor macro and export "printHello" to it.

Create Source File

In our header file, we defined the preprocessor macro INJECT_API that we want our dll to export. We'll create a source file that implements our "printHello" functionality. We'll create a new source file: "Inject.cpp".

DLL Implementation / Functionality

When we attach the DLL to a process we will call sayHello() in dllmain.cpp.

DLL Injection

To inject a DLL into a remote process we need to do the following things with their respective Windows API functions:

  • Find LoadLibraryW Address (GetProcAddress)

  • Open a handle to the remote process (OpenProcess)

  • Allocate Memory to the remote process (VirtualAllocEx)

  • Write data to the remote process. In this case the DLL's path. (WriteProcessMemory)

  • Create a thread in the remote process. (CreateRemoteThread)

Find Load Library Address:

The address stored in pLoadLibraryW will be used as the thread entry when a new thread is created in the remote process.

IMPORTANT: Since we are injecting into a remote process, there is no way for us to call LoadLibraryW directly within the confines of our running process. Instead we have to find the address of LoadLibraryW and pass the function as reference along with the path to our DLL (lpBuffer) as the parameter in CreateRemoteThreadEx. (As demonstrated below).

Allocating & Writing To Memory In Remote Process (win32calc.exe):

For demonstration purposes, PATH is a command-line argument of the DLL path.

Execution Via New Thread:

We call pLoadLibraryW with the path to our DLL (lpBuffer)

Last updated