2

I'm trying to inject a thread to another process, which let the process load an external dll.

Here's the code I found on the internet, and it works.

    HANDLE hThread  = CreateRemoteThread (hProcess, NULL, 0,
            (LPTHREAD_START_ROUTINE) GetProcAddress(
                GetModuleHandle(L"kernel32"), "LoadLibraryA"), 
                  lpMemory, 0, NULL);
    if (hThread == INVALID_HANDLE_VALUE)
    {
            return false;
    }

But from my understandings, the address returned by GetProcAddress lives in the memory space of the current process, not the targeted one.

So why does it work?

Tested on Windows 7

daisy
  • 22,498
  • 29
  • 129
  • 265
  • Traditionally, the core system DLLs are shared at the same address between all processes. However, if the process is compiled with ASLR enabled, or if the system is configured to force ASLR, this may not work. (It is possible that LoadLibrary is special-cased for backwards compatibility, I don't know.) – Harry Johnston Sep 22 '13 at 22:16
  • @HarryJohnston Weird, I've enforced ASLR and it still works on Windows 7 – daisy Sep 23 '13 at 00:49
  • I really wouldn't be surprised if LoadLibrary was special-cased, because a lot of existing software uses this technique. Or perhaps all kernel32 functions are treated differently. But I don't know of any documentation promising as much. – Harry Johnston Sep 23 '13 at 01:32
  • ASLR is applied once per system reboot, not on every process start. BUT there is another problem - shims. What if your injector process had a shim for LoadLibraryA? Then the pointer really is garbage in the other process which might not have that shim. Or a lesser problem: it might have its own shim and for some reason it is unadvised to call the original LoadLibraryA in that process, bypassing its shim. – Roland Pihlakas Jun 14 '14 at 22:13
  • Let me mention [another question](https://stackoverflow.com/questions/22750112/dll-injection-with-createremotethread) here (which very much looks like a duplicate of this one) so it gets linked. Still there's no official resource confirming this behavior, but there is a bit more information/opinions over there. – OzgurH Apr 09 '20 at 21:32

0 Answers0