3S Labs Banner

Wednesday, August 8, 2012

Remote DLL Loader

Sometimes it is required to somehow force a remote process to load an arbitrary DLL via LoadLibrary. The loaded DLL once executed from within the address space of the target process can then perform a wide variety of operation. This can be achieved using AppInit_DLLs registry option for applications which are linked with user32.dll.

However we want a bit more generic solution and that too without modifying anything in the system. The idea is quite simple and perhaps widely used:
  • Find or execute the target process and obtain its handle
  • Allocate memory in the target process using VirtualAllocEx
  • Write a shellcode that performs LoadLibrary("C:\\Our.dll") using WriteProcessMemory
  • Execute the shellcode using CreateRemoteThread

Thanks to the excellent Metasm library, building and testing the tool was a matter of less than an hour. The tool can be found here.

Note: The loader shellcode will look for exported function named Init in the DLL and will call it if found after LoadLibrary(..) This allows performing operations which otherwise should not be performed from the DllMain.

The usage is pretty simple:


  1. Would it be same, if we load arbitrary dll in this way

    using "Win32API" lib of ruby.

  2. The snipt doesn't open for me, perhaps it is not public?

  3. Opps..Sorry 4 that.It wasn't public.It's public now!

  4. I don't think that is going to work in an ASLR environment where Kernel32 base is also randomized. The address of LoadLibraryA resolved in your python process might not be same for the remote process hence CreateRemoteThread might attempt to execute invalid memory. The method will work if address of LoadLibraryA in your process is same as the target process you are trying to inject.

    The whole point of writing a Loader code (asm code) in my injector is to make it work in ASLR environment as well.

  5. thank you, but my friend suggested me to replace my file with http://fix4dll.com/msvcp120_dll this one?is it okay?