This is based on C, but you can easily follow along with C++. If you are making a DLL injector, I am assuming you are attempting to homebrew some malware or game hacks – C/C++ are the best languages to do so as they have the smallest footprint. Please use common sense about what you should and should not distribute.

So you’ve written some type of executable file, but you don’t want it showing in Task Manager in Windows. While you could obfuscate your binary by calling it something like ‘svchost.exe’ and hoping the user doesn’t notice, security through obscurity isn’t really security.

Enter DLL injection – compile your code as a (possibly malicious) DLL and inject it into a legitimate process on the target system. By using CreateRemoteThread() in the Windows API, we can trigger the DllMain entrypoint, and execute our code when we have attached the DLL to the thread. That way, your program won’t show in Task Manager as it is instead attached to another legitimate process.

I found arvanaghi’s blog post a great place to start and hence will be building onto that. However, my personal experiences has some discrepancies with his blog post – I did not need to use wide chars at all in my code. You can find my modified version of his code here.

In case you don’t have a DLL to inject, you can create a very basic one for testing purposes or download a compiled one here.

Note that this method is ‘noisy’ as good antiviruses will check for calls of CreateRemoteThread() and flag them automatically. There are two undocumented APIs – NtCreateThreadEx and RtlCreateUserThread which may fare better against Antivirus software, but as they are undocumented, can be removed or modified by Microsoft at any time.