Posts Tagged ‘hProcess’

This article provides an insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.

The concept of loading a library inside a process is simple. A programmer could dynamically load one by using the LoadLibrary function from Windows API for example:


int main(int argc, char *argv[])
HANDLE hlib;
char *lib = "E:\\mylib.dll";
printf("Loading library: %s\n",lib);
hlib = LoadLibraryA(lib);
printf("Handle: %X\n",hlib);
return 0;

Therefore we can use the CreateRemoteThread function to create a thread that executes the LoadLibraryA with the library’s path as an argument.


HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId


Is the handle to the remote process we intend like to inject our library.


This is the address (or offset) of the function our thread will start executing. In our case this should be equal to the offset of LoadLibraryA in the remote process address space.


This is the address of the parameter (library pathname) we aim to set as an argument to the LoadLibraryA function. Note that this also has to be in the address space of our remote process.

The main issues we have to take into consideration are:

* The offset of LoadLibraryA is not constant (not after Microsoft implemented Address Space Layout Randomisation or ASLR)
* Our library’s pathname string does not exist in the remote thread’s address space

Offset of LoadLibraryA

LoadLibraryA resides within kernel32.dll which is an essential library for every process that runs in our operating system. After each restart there is a probability that the address of kernel32 library would change due to ASLR. Fortunately the address of LoadLibraryA in our process is the same with the one in the remote process. Therefore we will need to use the GetProcAddress in combination with GetModuleHandle. The example code below does this thing:


int main(int argc, char *argv[])
HINSTANCE kernel32;
char *procname = “LoadLibraryA”;
char *modulename = “Kernel32″;
kernel32 = GetModuleHandle(modulename);
printf(”hModule: %X\n”,kernel32);
proc = GetProcAddress(kernel32,procname);
printf(”hProc: %X\n”,proc);
return 0;

Getting the pathname inside the remote process’s address space

To do such a thing we would need to allocate space in the remote thread’s address space using VirtualAllocEx function and then patch our pathname to it using WriteProcessMemory function. You can lookup this two functions on MSDN using the links below:


Another “hack” you are be able to use is that you could name you library after a string inside the executable file and then copy it inside the executables folder or any other folder defined by the PATH environment variable. For the example program’s hex dump below you could use ernel32.dll (at 00402229) or nel32.dll (at 0040222A) 32.dll (at 0040222D) or even NameA (at 00402243) as your library’s filename.

004020F0 ø .......Dialog

00402100 BoxParamA.´.EndD

00402110 ialog.ü.GetDlgIt

00402120 emTextA.±Messag

00402130 eBoxA.SetDlgIt

00402140 emTextA.user32.d

00402150 ll..R.CreateRemo

00402160 teThread..›.Exit

00402170 Process.Ì.Format

00402180 MessageA..GetC

00402190 urrentProcessId.

004021A0 (GetLastError..

004021B0 4GetModuleHandl

004021C0 eA..SGetProcAdd

004021D0 ress..OpenProc

004021E0 ess.\RtlZeroMem

004021F0 ory.ÞVirtualAll

00402200 ocEx..WritePro


00402220 trlenA..kernel32

00402230 .dll....GetOpenF

00402240 ileNameA..comdlg

00402250 32.dll..........

Download Source code and executable