I recently got into coding dll's and now I'm interested in having my own injection routine code to spare time and effort instead of using general injectors. However it seems impossible for me to find a source to study that actually does the job. I've been all over the net googling like hell, trying lots of examples from different sites and while I got most of them to compile flawlessy, they simply do not inject my dll. Using dev-c++ atm, running Win xp with admin priviligies.

I know you guys here are very good so I strongly hope I get some good help, so tired of messing around with this.

Here's most of my test dll (injects fine with well known injectors:

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
	 if(fdwReason == DLL_PROCESS_ATTACH) {
				MessageBox(0, "Dll Injection Successful! ", "Dll calling", MB_ICONEXCLAMATION | MB_OK);
	             CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&Action, 0, 0, &ThreadID);
	 return 1;

Here is the injector source I'm currently using. I have also been using similar sources with lots of error checking and they state the injection is completed but the dll never get injected.

#include <windows.h>
#include <tlhelp32.h>

BOOL EnablePriv(LPCSTR lpszPriv)
	    HANDLE hToken;
	    LUID luid;
	    TOKEN_PRIVILEGES tkprivs;
	    ZeroMemory(&tkprivs, sizeof(tkprivs));
	    if(!OpenProcessToken(GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return FALSE;
	    if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){ CloseHandle(hToken); return FALSE; }
	    tkprivs.PrivilegeCount = 1;
	    tkprivs.Privileges[0].Luid = luid;
	    tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	    BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL);
	    return bRet;
DWORD RemoteLoadLibrary(LPSTR lpszProcess, DWORD dwPID, HANDLE hProcess, LPSTR lpszModuleName)
	    DWORD dwModuleBase;
	    if(lpszProcess != NULL){
	        HANDLE hProcesses = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	        if(hProcesses != NULL){
	            PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
	            if(Process32First(hProcesses, &pe32)){
	                    if(!strcmp(lpszProcess, pe32.szExeFile)){
	                        dwPID = pe32.th32ProcessID; break;
					while(Process32Next(hProcesses, &pe32));
	            }	            CloseHandle(hProcesses);
	    if(dwPID != 0) hProcess = hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
	    if(hProcess != NULL){
	        DWORD dwSize = lstrlen(lpszModuleName) + 1;
	        LPBYTE lpszModuleRemoteName = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	        if(lpszModuleRemoteName != NULL)
	            WriteProcessMemory(hProcess, lpszModuleRemoteName, lpszModuleName, dwSize, NULL);
	            HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
	                (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"), lpszModuleRemoteName, 0, NULL);
	            if(hThread != NULL)
	            {	                WaitForSingleObject(hThread, 10000); // 10 seconds
	                GetExitCodeThread(hThread, &dwModuleBase);
	            VirtualFreeEx(hProcess, lpszModuleRemoteName, dwSize, MEM_RELEASE);
	        if(dwPID != 0) CloseHandle(hProcess);
	    return dwModuleBase;
int main(){
	DWORD dwBase = RemoteLoadLibrary("notepad.exe", 0, NULL, "lol.dll");
	return 0;

Is that supposed to duplicate the functionality of win32 api function LoadProcess() ? If yes, then why bother? What makes you think you can do it faster or better than the Microsoft experts?

This article has been dead for over six months. Start a new discussion instead.