CreateRemoteThread without DLL (inject function)


I have reviewed some articles in internet and they are talking about DLL injection into another process, I also saw some articles about function injection with CreateRemoteThreadEx that injects a function into another process.

I want a piece of example code which will inject a thread function into notepad.exe and that thread shows messagebox each X second.

Please advice about it.

Thanks from now!
LVL 17
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

See ("III. The CreateRemoteThread & WriteProcessMemory Technique") which uses the latter API to avoid the creation of a separate DLL. The article comes with full source code and demo apps.
CSecurityAuthor Commented:
I checked that, that is too complicated with a lot of things, I need just a MessageBox sample demo which injects a thread which only shows messagebox into notepad.exe, if possible please just show me a simple code
I am afraid it won't be any easier that described in these 10 steps from that article:

   1. Retrieve a HANDLE to the remote process (OpenProces).
   2. Allocate memory in the remote process's address space for injected data (VirtualAllocEx).
   3. Write a copy of the initialised INJDATA structure to the allocated memory (WriteProcessMemory).
   4. Allocate memory in the remote process's address space for injected code.
   5. Write a copy of ThreadFunc to the allocated memory.
   6. Start the remote copy of ThreadFunc via CreateRemoteThread.
   7. Wait until the remote thread terminates (WaitForSingleObject).
   8. Retrieve the result from the remote process (ReadProcessMemory or GetExitCodeThread).
   9. Free the memory allocated in Steps #2 and #4 (VirtualFreeEx).
  10. Close the handles retrieved in Steps #6 and #1 (CloseHandle).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

I found this article, which shows an indepth look at DLL Injection. It also shows some sample code. I am not sure if it will help you.
p8 shows it using a MessageBox
CSecurityAuthor Commented:
I injected my function but I get exception when my thread exits
Rishadan, I don't want DLL Injection, I want thread/function injection
CSecurityAuthor Commented:

I attached my code, just replace PID manually with notepad.exe 's PID in this line:


Please rename test.txt to Test.cpp, open it in MS VC++ 6.

Please tell me what's wrong in the code
May I ask why you graded that as a 'C'?
CSecurityAuthor Commented:
No solution, just a comment provided, I solved task and problem myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Editors IDEs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.