Home

Awesome

WindowsDLLInjector

Some DLL Injection techniques written in C++ for both 32bit and 64bit windows OS

Intro

There are several ways for injecting a dll or generally a process in another target process
It has many advantages such as accessing that process memory address and extending it's functionality
In abuse cases it can be used to hide malicious activity in another process and somehow bypass antivirus detection

each one has it's pros and cons

Here we have implemented 5/7 techniques

CreateRemoteThread

Maybe it's the first google search result for dll injection
This API is mapped to NtCreateThread native API Very well documented and easy to code!

Pros.
       Easy to implement (maybe just 5 lines of code)
       well documented on internet

Cons.
       Easy to detect
       not possible on all processes (specially windows NT native processes)

NtCreateThread

Acually not as easy as CreateRemoteThread method
It needs some header definitin and function pointer casting to get the address of NtCreateThread in ntdll.dll
A little hard to implement but very effective against windows native system processes

Pros.
       Can be used for windows native NT processes (like : svchost, smss, ...)
       Harder to be detected

Cons.
       A little hard to implement and debug
       no official documentation

QueueUserAPC

This method is about hijacking and using a thread in target process
As documented in msdn, the function call QueueUserAPC() adds user-mode asychronous procedure call(APC) object to the APC queue of specified thread
Actually we don't create our own thread and just use the target process's threads for loading our dll into the process address space
Notice that to make this method work, The remote target thread should be in suspended state and with alertable flag (Example SleepEx() in TargetProgram.cpp)

Pros.
       No need for creating new Threads
       It adds some stealthy abilities for injection (cause no new thead would be created)

Cons.
       Not always possible on all threads (just suspended threads with alertable flag)

SetWindowsHookEx

This method actually is for setting Windows Hook for specific events like keyboard or mouse event
But since the hook procedure should be in form of exported function in a dll file in the target process,
This makes it possible to use it as a dll injection method
This one is kinda different one because neither thread nor APC is created but A hook is set in target process for a specific thread

Pros.
       No need for creating new Threads or APC call
       Easy to use spcially with thread ID equals 0 :)

Cons.
       Too suspicious for antivirus detection because of using hooks

RtlCreatUserThread

Same as NtCreateThread with some possible wrapping

Pros.
       Can be used for windows native NT processes (like : svchost, smss, ...)
       Harder to be detected

Cons.
       A little hard to implement and debug
       no official documentation

<br><br>

Credit

Many thanks for fdiskyou and his InjectAllTheThings (nice name) repository
His Repo : https://github.com/fdiskyou/injectAllTheThings
His website : http://deniable.org