OSDev.org

Hi, I want to know how createremotethread works behind the scenes because it doesn't all make sense to me as to why you need to allocate memory for a dllname within the remote process when you want to inject a dll. In createremotethread you pass the handle to the process along with the loadlibrary address and a parameter to loadlibrary. Why can't you just allocate some space in the injector and send the pointer of that address space to the createremotethread function instead of using virtualallocex and writeprocessmemory?

You are talking about http://msdn.microsoft.com/en-us/library ... 82437.aspx right?

You are talking about http://msdn.microsoft.com/en-us/library ... 82437.aspx right?

yes sir.

basically I was wanting to know if the loadlibrary function gets its parameter directly from the memory location you specify in createremotethread, and how does it work differently when calling loadlibrary inside a process and not remotely?

I think I know what I want to ask now after doing some research. How does createthread and createremotethread pass parameters to the function that it is executing?

The MSDN page is worded incorrectly. The "lpParameter" parameter is described as "a pointer to a variable to be passed to the thread function", but it's just a pointer sized parameter which could contain anything. If you actually want to use it to point to something, you have to arrange it by yourself.