Fig 3 - uploaded by Mohamed Alshehri
Content may be subject to copyright.
CreateRemoteThread() Injection

CreateRemoteThread() Injection

Source publication
Article
Full-text available
This paper compares different open-source tools available to determine which one is the most efficient in different business situations in terms of comprehensive detection, steps for configuration, and utilities for relaying discoveries. These tools include Memhunter, Volatility, and Sysmon.

Context in source publication

Context 1
... Using LoadLibraryW, use CreateRemoteThread() to make a thread that runs the created address space for the DLL above. (The header from LoadLibraryW can be seen in Figure 3.) 6) Close the process handle from step 1. The major difference between the normal and this "stealthy" CreateRemoteThread() injection is the PE header is deleted when the DLL is loaded directly. ...