3

I'm using CreateRemoteThread api to inject a dll into a process. This works when the process is running state. But If I launch a process in suspended state using CreateProcess api and try to inject a dll into it, then dll injection is not working. But If I use createprocess without suspended flag, then I can able to inject the dll. Can anyone tell me the solution of this problem?

K07
  • 75
  • 12
  • Strange question. This is obvious, isn't it? To load a DLL you must call LoadLibrary(). How do you expect this to work in a process that is dead? – Elmue Aug 29 '15 at 14:17
  • I'm referring to the dll-injection method using createremotethread. This method infact uses loadlibrary API. http://resources.infosecinstitute.com/using-createremotethread-for-dll-injection-on-windows/ – K07 Aug 30 '15 at 16:29
  • @K07 Did you figure this out in the end? – parrowdice Jan 29 '16 at 14:30
  • Nope, I stopped working . The dll-injection did work on other machines though I don't know the reason behind that. – K07 Feb 08 '16 at 15:37
  • 1
    This might be of some help: https://opcode0x90.wordpress.com/2011/01/15/injecting-dll-into-process-on-load/ – toster-cx Nov 11 '16 at 14:25

2 Answers2

2

I meet the similar case. Not know the exact root cause, I suggest you to try to use QueueUserAPC api to do the injection.

user1150246
  • 69
  • 1
  • 6
  • Will also not work. You cannot do ANYTHING in a suspended process. The process must be running to load a DLL. – Elmue Aug 29 '15 at 14:18
2

It can not work because creating a process with suspended flag,it loads only ntdll.dll. kernal32.dll is not loaded yet, so you can not use createprocess to call LoadLibrary(in the kernal32.dll) in the remote suspended process. but you can use LdrLoadDll(in the ntdll.dll) instead. you can also use QueueUserAPC with LdrLoadDll ,too. it will works well~

LeenLi
  • 51
  • 5