Professional Documents
Culture Documents
Create a new thread in the target process[24] with the thread s start address se
t to be the address of LoadLibrary and the argument set to the address of the st
ring just uploaded into the target.[12][25]
Instead of writing the name of a DLL-to-load to the target and starting the new
thread at LoadLibrary, one can write the code-to-be-executed to the target and s
tart the thread at that code.[6]
The operating system then calls the initialization routine of the injected DLL.[
12][26]
Note that without precautions, this approach can be detected by the target proce
ss due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a t
hread starts.[26]
Windows hooking calls such as SetWindowsHookEx.[2][5][6][27][28][29]
Use the SuspendThread or NtSuspendThread function to suspend all threads, and th
en use SetThreadContext or NtSetContextThread function to modify an existing thr
ead s context in the application to execute injected code, that in turn could lo
ad a DLL.[4][30][31]
Exploit design limitations in Windows and applications that call the LoadLibrary
or LoadLibraryEx) function without specifying a full-qualified path to the DLL
being loaded.[32][33][34]
Operating system-level shims.
Substituting an application-specific DLL with a rogue replacement that implement
s the same function exports as the original.[35]