C++ Dll Injection

Question

I would really appreciate your help in this.

I have been trying to get a Dll injected into a remote process and do a few changes inside it, the problem I'm encountering right now is i don't know how to get this going.

So first, here is my piece of code that I have developed so far:
dllmain.cpp

#include <windows.h>
#include <stdio.h>

BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           MessageBox (0, "From DLL\n", "Process Attach", MB_ICONINFORMATION);
        break;

      case DLL_PROCESS_DETACH:
           MessageBox (0, "From DLL\n", "Process Detach", MB_ICONINFORMATION);
        break;

      case DLL_THREAD_ATTACH:
           MessageBox (0, "From DLL\n", "Thread Attach", MB_ICONINFORMATION);
        break;

      case DLL_THREAD_DETACH:
           MessageBox (0, "From DLL\n", "Thread Detach", MB_ICONINFORMATION);
        break;
    }  

    return TRUE;
}

It simply displays a message box depending on the conditions it meets. Now what I would like my Dll to do is, after being injected into the remote process, I would like it to write a memory location and change it's value.

Data type: Unsigned Short Int
Memory location: 0041D090

I hope everything is clear, Thank you for your patience, help is appreciated.

Answer 1

You don't have to write a DLL to change another process's memory at a fixed address. You can use WriteProcessMemory() .

However... The way to inject a DLL into another process is the following...

1. Use VirtualAllocEx() to allocate the length of the file path to the DLL inside the target process's memory... This is like remotely doing a malloc .

2. Use WriteProcessMemory() to copy the file path to the DLL into what was returned from the previous step. This is like remotely doing a strcpy .

3. Use CreateRemoteThread() . You can point it at LoadLibrary() as the entry point and the file path from steps 1 and 2 as the argument. That's a bit hacky, to be honest, but if you are injecting a DLL you're already being quite hacky. Another technique would be to use steps 1 & 2 to load some machine code into the remote proceess and point it at that.

Keep in mind that this technique is a great way to destabilize the target process. In particular, this isn't something I'd do in a product that ends up getting shipped to others.