Hi,

I have wrote this function 2-3 years ago when I was reverse engineering a malware which used this kind of technique:

This project is a example of of creating a remote thread into a process without using WriteProcessMemory like others techniques. We will drop a DLL named "API32.DLL" to "C:\WINDOWS\" and create a new thread to the process where we want to load the DLL. In the remote process we will execute LoadLibraryA with a pointer to the string API32.DLL as the first parameter, by using CreateRemoteThread..

If you want to know exactly how it works just check the code out.

Example of usage:
Code:
int _tmain(int argc, _TCHAR* argv[])
{
	//
	// API32.DLL is the DLL we will inject. Why API32.DLL? Because this string is already in EXPLORER.EXE ( Windows XP SP3 ): ADVAPI32.DLL
	//
	// first you must drop your DLL to the right directory, e.g:
	//
	//		DropDLL( "C:\\WINDOWS\\API32.DLL" );
	// 
	// and later you can run this Code:
	//
	if ( !SetDebugPrivileges() )
		printf( "Warning: NO DEBUG PRIVILEGES!\n" );

	printf( "Userland RemoteLoadLibrary: " );
	if ( RemoteLoadLibraryUserland( L"explorer.exe", "API32.DLL" ) )
	{
		printf( "INJECTED\n" );
		Sleep( 2 * 1000 );

		printf( "Unloading DLL: " );
		if ( RemoteFreeLibrary( L"explorer.exe", L"API32.DLL" ) )
		{
			Sleep( 2 * 1000 );
			printf( "DLL UNLOADED!\n" );
		}
		else
		{
			printf( "FAILED!\n" );
		}
	}
	else
	{
		printf( "FAILED\n" );
	}

	return 0;
}

You can find the whole source at my github account: https://github.com/edix/AlternativeC...eThread-public