How a Simple LoadLibraryA Injector Works

General
1

:brain: LoadLibraryA DLL Injection β€” Internal Explained

Windows Usermode Injection β€’ C++ Example β€’ Loader Internals

:check_mark: Beginner Friendly :check_mark: Stable Method :warning: Detectable

:books: Table of Contents

β€’ Introduction
β€’ Injection Theory
β€’ Execution Flow
β€’ Windows API Used
β€’ C++ Example
β€’ What Happens Internally
β€’ Common Mistakes

:magnifying_glass_tilted_right: 1. Introduction

LoadLibraryA injection is the most classic and documented DLL injection technique on Windows.

Instead of manually mapping a DLL, we force the target process to execute:

LoadLibraryA("C:\\yourdll.dll");

The Windows loader handles everything else.

:gear: 2. Injection Theory

The injector performs 4 main actions:

:one: Open target process
:two: Allocate memory inside it
:three: Write DLL path
:four: Create remote thread calling LoadLibraryA

That’s it.

:counterclockwise_arrows_button: 3. Execution Flow

Injector
 β”œβ”€β”€ OpenProcess
 β”œβ”€β”€ VirtualAllocEx
 β”œβ”€β”€ WriteProcessMemory
 └── CreateRemoteThread
            ↓
Target Process
 └── LoadLibraryA
        β”œβ”€β”€ Map sections
        β”œβ”€β”€ Resolve imports
        β”œβ”€β”€ Apply relocations
        └── Execute DllMain

:puzzle_piece: 4. Windows API Used

β€’ OpenProcess
β€’ VirtualAllocEx
β€’ WriteProcessMemory
β€’ GetModuleHandleA
β€’ GetProcAddress
β€’ CreateRemoteThread
β€’ WaitForSingleObject

:laptop: 5. Minimal C++ Injector

#include <windows.h>
#include <iostream>

int main()
{
    DWORD pid = 1234;
    const char* dllPath = "C:\\mydll.dll";

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    if (!hProcess) return 1;

    LPVOID remoteBuffer = VirtualAllocEx(
        hProcess,
        NULL,
        strlen(dllPath) + 1,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE
    );

    WriteProcessMemory(
        hProcess,
        remoteBuffer,
        dllPath,
        strlen(dllPath) + 1,
        NULL
    );

    LPVOID loadLib = GetProcAddress(
        GetModuleHandleA("kernel32.dll"),
        "LoadLibraryA"
    );

    HANDLE hThread = CreateRemoteThread(
        hProcess,
        NULL,
        0,
        (LPTHREAD_START_ROUTINE)loadLib,
        remoteBuffer,
        0,
        NULL
    );

    WaitForSingleObject(hThread, INFINITE);

    CloseHandle(hThread);
    CloseHandle(hProcess);
}

:brain: 6. What Happens Internally

When LoadLibraryA runs inside the target process:

β€’ LdrLoadDll is called
β€’ PE headers parsed
β€’ Sections mapped into memory
β€’ IAT resolved
β€’ Relocations applied
β€’ TLS callbacks executed
β€’ DllMain triggered

This is why this method is stable.

:prohibited: 7. Common Mistakes

Access Denied
β†’ Run injector as Administrator

Architecture mismatch
β†’ x64 β†’ x64
β†’ x86 β†’ x86

Crash after injection
β†’ Heavy logic inside DllMain
β†’ Missing dependencies

:check_mark: Simple β€’ :check_mark: Educational β€’ :warning: Not Stealth