The Wayback Machine - https://web.archive.org/web/20200417012703/https://github.com/fdiskyou/injectAllTheThings
Skip to content

/ injectAllTheThings

Seven different DLL injection techniques in one single project.
dll-injection dll code-injection malware reflective-dll reflective-injection reversing debugging
C C++
  1. C 64.3%
  2. C++ 35.7%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

Latest commit

@fdiskyou
fdiskyou make it pretty
Latest commit 971dbb7 Jan 17, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin add output dir for the lazy Jan 17, 2020
dllmain 1st import into tree Jul 20, 2017
dllpoc 1st import into tree Jul 20, 2017
injectAllTheThings fix OS version check Jan 16, 2020
rdll 1st import into tree Jul 20, 2017
LICENSE added the LICENSE file from fdiskyou/WinAllocTracer Mar 24, 2019
README.md make it pretty Jan 17, 2020
injectAllTheThings.sdf 1st import into tree Jul 20, 2017
injectAllTheThings.sln 1st import into tree Jul 20, 2017
injectAllTheThings.v12.suo 1st import into tree Jul 20, 2017

README.md

What is it

Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.

The table below makes it easy to understand what's actually implemented and how to use it.

Method 32 bits 64 bits DLL to use
CreateRemoteThread() ✔️ ✔️ dllmain_32.dll / dllmain_64.dll
NtCreateThreadEx() ✔️ ✔️ dllmain_32.dll / dllmain_64.dll
QueueUserAPC() ✔️ ✔️ dllmain_32.dll / dllmain_64.dll
SetWindowsHookEx() ✔️ ✔️ dllpoc_32.dll / dllpoc_64.dll
RtlCreateUserThread() ✔️ ✔️ dllmain_32.dll / dllmain_64.dll
SetThreadContext() ✔️ ✔️ dllmain_32.dll / dllmain_64.dll
Reflective DLL ✔️ ✔️ rdll_32.dll / rdll_64.dll

How to use it

C:\Users\rui>injectAllTheThings_64.exe
injectAllTheThings - rui@deniable.org
Usage: injectAllTheThings.exe -t <option> <process name> <full/path/to/dll>
Options:
  1     DLL injection via CreateRemoteThread()
  2     DLL injection via NtCreateThreadEx()
  3     DLL injection via QueueUserAPC()
  4     DLL injection via SetWindowsHookEx()
  5     DLL injection via RtlCreateUserThread()
  6     DLL injection via Code Cave SetThreadContext()
  7     Reflective DLL injection

Needless to say, to be on the safe side, always use injectAllTheThings_32.exe to inject into 32 bits processes or injectAllTheThings_64.exe to inject into 64 bits processes. Although, you can also use injectAllTheThings_64.exe to inject into 32 bits processes. And actually, I didn't implement it but I might have to give it a try later, you can go from WoW64 to 64 bits. Which is basically what Metasploit 'smart_migrate' does. Have a look here.

Compile for 32 and 64 bits, with our without debugging and have fun.

Note: All techniques have been tested successfully in Windows 10 1903 x64 with notepad.exe. This has been used for Endpoint Security testing by me, and a few other people I know, as a PoC. Don't ask for help if you are injecting somewhere else and your target is crashing. I'm pretty sure you can debug the issue yourself if you want to re-use the code in your own tools.

For more information visit: http://deniable.org/misc/inject-all-the-things

Credits

Reflective DLL injection - Stephen Fewer

You can’t perform that action at this time.