Awesome
Modified for x64 <del> and included a hello world dll to test with hello-world-x64.dll
</del>
DLL path is hardcoded
And also hijacks the thread permanently
ThreadJect
Description
Proof-of-Concept Manual DLL Injector that hijacks a thread in order to load dll into target process.
Demonstration
How does it work?
- Open DLL and read content into buffer
- Make sure the file is a DLL and headers are properly defined
- Adjust Privilege & open the target process based on PID provided in first cmd argument
- Copy DLL into target process
- Copy loader information into target process
- Copy loader function into target process
- Find thread to hijack
- Suspend target thread
- Modify shellcode with proper addresses (ex: address to loader func, address to inject info)
- Copy shellcode to call our loader function
- Modify Thread EIP to go to our shellcode
- Shellcode calls loader function with injection info as first argument
- Resume target thread - should be injected now
Usage
ThreadJect.exe <PID>
Credits
@ZwClose7 on Rohitab - Base LoadLibrary Injector (uses Thread Hijacking) and his CreateRemoteThread Manual DLL Injector
@D4stiny - Modified LoadLibrary Injector by adding code from the CreateRemoteThread injector and changing the shellcode that is used in the thread hijacking to support the manual mapping of the DLL.