Home/ Questions/Q 8392999
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T19:40:16+00:00

Ok so I have a question about step 3 of C++ Dll Injection ,

  • 0

Ok so I have a question about step 3 of C++ Dll Injection, that is:

Use CreateRemoteThread(). You can point it at LoadLibrary() as the entry point and the file path from steps 1 and 2 as the argument. That’s a bit hacky, to be honest, but if you are injecting a DLL you’re already being quite hacky. Another technique would be to use steps 1 & 2 to load some machine code into the remote proceess and point it at that.

So my question is: After I allocated memory using VirtualAllocEx, and writing the code with WriteProcessMemory, how do I make the call to CreateRemoteThread — and by that I mean what are the fourth and fifth parameters?

My code:

AllocatedMem = VirtualAllocEx(Proc, IntPtr.Zero, code.Length,
    AllocationType.Reserve | AllocationType.Commit, MemoryProtection.ReadWrite);

WriteProcessMemory(Proc, AllocatedMem, code, code.Length, IntPtr.Zero);

CreateRemoteThread(Proc, IntPtr.Zero, 0, AllocatedMem,
    IntPtr.Zero, 0, IntPtr.Zero);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx

    HANDLE WINAPI CreateRemoteThread(
  _In_   HANDLE hProcess,
  _In_   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  _In_   SIZE_T dwStackSize,
  _In_   LPTHREAD_START_ROUTINE lpStartAddress,
  _In_   LPVOID lpParameter,
  _In_   DWORD dwCreationFlags,
  _Out_  LPDWORD lpThreadId
);

    hProcess ia handle to the process in which the thread should be created.

    lpThreadAttributes can be NULL to specify “use default”

    dwStackSize can be zero to specify “use default”

    lpStartAddress is the address IN THE FOREIGN PROCESS where the thread will begin executing

    lpParameter is the argument passed to the ThreadMain in the foreign process (i.e. in the foreign process, lpStartAddress is assumed called using WINAPI calling convention with lpParameter as the only parameter).

    dwCreationFlags can be zero.

    lpThreadId should be a pointer to a DWORD that receives the thread id if successful.

    If you set lpStartAddress to the address of LoadLibraryW and set lpParameter to a pointer IN THE FOREIGN PROCESS to L”foo.dll”, then when the thread starts in the foreign process it will immediately call LoadLibraryW(L”foo.dll”) in the foreign process, allowing you to run code from inside your DllMain.

    • 0