Okay basically a injector is a tool to map a DLL into a target process' memory. There are many ways but obviously the way you want is the easiest way.
Originally Posted by JustLetMeBurn
There is a windows API called LoadLibrary which loads a module into the address space of the calling process. But, how do you make another process call an API? Well, there is another API called CreateRemoteThread which allows you to create a thread for running inside the virtual address space of another process. Coincidentally, CreateRemoteThread allows you to pass one parameter to the specified thread you want to run and LoadLibrary has just that one parameter. So now we know that from our injector, we can create a thread inside the target process to call windows API LoadLibrary which takes one parameter, the full path to the module, unless it is a windows DLL which automatically paths to your system32 folder. From what we know so far, we know that we just have to call CreateRemoteThread from our injector:
Okay, we're missing a few things here, the handle to the process, address of LoadLibrary and pointer to a string of chars that spells your DLL's full path inside the remote process.
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess, //Handle to the target process
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, //0
_In_ SIZE_T dwStackSize, //0
_In_ LPTHREAD_START_ROUTINE lpStartAddress, //Address of the thread to run in our case, address of the LoadLibrary API
_In_ LPVOID lpParameter, //Parameter to pass to LoadLibrary
_In_ DWORD dwCreationFlags, //0
_Out_ LPDWORD lpThreadId //0
To get the handle of AVA process:
Now that we got the handle of AVA process we can do a few things: Call CreateRemoteThread with the target process of AVA and Allocate memory space inside AVA to write our full path string to our DLL. We can allocate memory to another process with VirtualAllocEx API.
//Credits Jabberwock for easy way to find AVA pid;
HWND hWnd = FindWindow("LaunchUnrealUWindowsClient", 0); //Find the window handle of AVA which has a class name of "LaunchUnrealUWindowsClient"
DWORD pid; //variable to store ava's process id
GetWindowThreadProcessId(hWnd, &pid); //retrieve process id by handle to a window
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); //finally get the handle to AVA process for doing remote stuff
Writing string to target process:
Then we use WriteProcessMemory API to write to target process space:
LPVOID lpRemoteString = VirtualAllocEx(hProcess, 0, strlen("C:\\InsertDLLPath.dll"), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); //Allocate enough memory for the string length of our DLL full path.
Next thing missing for the CreateRemoteThread call is the address to the LoadLibrary function:
char szDLLFullPath = "C:\\InsertDLLPath.dll";
WriteProcessMemory(hProcess, lpRemoteString, (LPVOID)szDLLFullPath, strlen(szDLLFullPath), 0); //Write the full path to the space we allocated
We can use GetModuleHandle to get the module base of Kernel32.dll which is where LoadLibrary is located
We will use GetProcAddress to retrieve the address of LoadLibrary using the module
Now we can finally complete the call to CreateRemoteThread:
LPVOID lpLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpLoadLibrary, lpRemoteString, 0, 0);