Windows C++ remote thread (CreateRemoteThread) injection DLL method, code example.

        Use the remote thread CreateRemoteThread method to inject the DLL you want to inject into other processes, so don't use this method to cause damage.

        Let's create a DLL code that can pop up a window, so that the process will pop up as long as the LOAD DLL.

        DLL code:

#include <windows.h>

// DLL入口点函数
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // 弹窗代码
        MessageBox(NULL, L"Hello from YourDLL!", L"DLL Injection", MB_OK | MB_ICONINFORMATION);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

        The process code injected into the DLL can be written freely, as long as the program can run all the time. :

#include<windows.h>
#include<iostream>
int main()
{
	while (1)
	{
		Sleep(1000 * 2);
		std::cout << "***\n" << std::endl;

	}

}

        The next step is to execute the injected code:

        Let me talk about the steps of injection first, which is a bit complicated.

        1. Obtain the process ID of the process to be injected, which can be obtained by using the process name.

        2. Use the VirtualAllocEx api to open up a piece of memory in the process, the size is exactly the DLL path.

        3. Write the DLL path information into the process space through WriteProcessMemory.

        4. Obtain the address of kernal32 in this process. Because all exe under the same platform load kernal32 at the same location.

        5. Obtain the address of LoadLibraryW in kernal32, which is also the address of LoadLibraryW injected into the process.

        6. Create a remote thread to execute the LoadLibraryW operation, and the parameter is the path of the DLL to be passed in.

Code example:

#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdio.h>

// 获取目标进程ID
DWORD GetTargetProcessID(const TCHAR* targetProcessName)
{
    DWORD processID = 0;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapshot != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 processEntry;
        processEntry.dwSize = sizeof(PROCESSENTRY32);
        if (Process32First(hSnapshot, &processEntry))
        {
            do
            {
                if (_tcsicmp(processEntry.szExeFile, targetProcessName) == 0)
                {
                    processID = processEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnapshot, &processEntry));
        }
        CloseHandle(hSnapshot);
    }
    return processID;
}

// 远程线程注入DLL
BOOL InjectDll(DWORD processID, const TCHAR* dllPath)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
    if (hProcess == NULL)
    {
        return FALSE;
    }

    LPVOID dllPathAddress = VirtualAllocEx(hProcess, NULL, _tcslen(dllPath) * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
    if (dllPathAddress == NULL)
    {
        CloseHandle(hProcess);
        return FALSE;
    }

    SIZE_T bytesWritten;
    if (!WriteProcessMemory(hProcess, dllPathAddress, dllPath, _tcslen(dllPath) * sizeof(TCHAR), &bytesWritten))
    {
        VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        return FALSE;
    }

    HMODULE kernel32Module = GetModuleHandle(_T("kernel32.dll"));
    LPTHREAD_START_ROUTINE loadLibraryFunction = (LPTHREAD_START_ROUTINE)GetProcAddress(kernel32Module, "LoadLibraryW");
    HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, loadLibraryFunction, dllPathAddress, 0, NULL);
    if (hRemoteThread == NULL)
    {
        VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        return FALSE;
    }

    WaitForSingleObject(hRemoteThread, INFINITE);
    VirtualFreeEx(hProcess, dllPathAddress, 0, MEM_RELEASE);
    CloseHandle(hRemoteThread);
    CloseHandle(hProcess);
    return TRUE;
}

int main()
{
    const TCHAR* targetProcessName = _T("runTest.exe"); // 目标进程的名称
    const TCHAR* dllPath = _T("C:\\Users\\admin\\source\\repos\\DLLinject\\x64\\Debug\\DLLinject.dll"); // 自定义DLL的路径

    DWORD targetProcessID = GetTargetProcessID(targetProcessName);
    if (targetProcessID != 0)
    {
        if (InjectDll(targetProcessID, dllPath))
        {
            printf("DLL injected successfully.\n");
        }
        else
        {
            printf("Failed to inject DLL.\n");
        }
    }
    else
    {
        printf("Target process not found.\n");
    }

    return 0;
}

        Results of the:

 

        procxp checks that the dll is already in the injected process.

        Again, that sentence cannot be used to cause damage. This is a common way of pirated software or game plug-ins, to make some of your own things in other processes. I heard that CreateRemoteThread was originally created by Microsoft to debug other processes, and it was also used by people with ulterior motives.