CreateRemoteThread on LoadLibrary and get the HMODULE back

Question

I am doing the DLL injection job recently, so I have did some research into it on google. Now I know use CreateRemoteThread is a good way.

The ASLR(Address space lay

Answer 1

A bit more advanced, but rather than having CreateRemoteThread() call LoadLibrary() directly, you can instead allocate an HMODULE in the remote process by using VirtualAllocEx(), then allocate a block of executable memory (also with VirtualAllocEx()) and put some assembly code in it to call LoadLibrary() and save the return value to the allocated HMODULE, and then you can have CreateRemoteThread() run that allocated "function", wait for the thread to exit, and then read the HMODULE using ReadProcessMemory().

This is demonstrated by Implementing Remote LoadLibrary and Remote GetProcAddress Using PowerShell and Assembly (in PowerShell, but can be translated to C/C++ as needed).