So I have read the contents of a dll file into my process's heap memory. I then copied the contents of my processes heap memory into a remote process (I allocated space in the remote process before using VirtualAllocEx.) I now want to execute the DllMain function of the dll in the remote process. How can I get the address of DllMain within the remote process and then execute it with CreateRemoteThread()?

Thanks!

(Yes you may have noticed that I'm trying to do PE injection...)

The way DLL injection is usually done is like this:

1. Allocate a page in the remote process. The page should be created with write and execute permissions.
2. Write a short stub that calls LoadLibrary(). You'll need to write the path to the DLL somewhere in the allocated page. If necessary, the stub may also call GetProcAddress() and call into the DLL.
3. Copy the stub into the allocated page.
4. Execute the page in the remote context using CreateRemoteThread() or CreateRemoteThreadEx().

This method lets you sidestep the complexity of parsing PE and locating the entry point.


A coworker has written a sample for our hooking library that performs the above steps:
https://github.com/nektra/Deviare-InProc/tree/master/Samples/C/InjectDll

Yes, but the reason I wanted to do the PE injection method was so that it's not that easily detectable... many programs can find a call to LoadLibrary in their process.

Alternatively you could call the equivalent ntdll function directly, LdrLoadDll().
https://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/LdrLoadDll.html

Either way you're still going to call WriteProcessMemory() or some equivalent. To anyone In The Know it's going to be completely obvious that you're pulling shenanigans.