Analysis updated 2026-05-18
Study how remote thread DLL injection works at the Windows API level for security research or coursework.
Learn how RC4 encryption and UUID encoding can obfuscate a payload to avoid static signature scanning.
Use as a hands-on base for practicing Windows offensive security concepts on systems you own.
Follow the planned improvement notes to extend the project with in-memory loading or AES encryption.
| adroxz1122/injected-host-enumeration | iamdaven/miraos | loganw234/mercenaries2 | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | C | C | C |
| Setup difficulty | moderate | hard | hard |
| Complexity | 3/5 | 5/5 | 5/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires MinGW-w64 or MSVC build tools and Windows SDK headers, must only be tested on systems you own or have permission to test.
This is a Windows security research project, described in the README as for educational purposes only, that demonstrates how DLL injection works in practice. The code walks through a chain of techniques studied in offensive security courses: encrypting a payload DLL, encoding it as UUID strings inside an executable's resource section, and then decrypting and injecting it into a running process at runtime. The project has three stages. First, a DLL payload is compiled, and tools in the repository encrypt it with the RC4 cipher and convert the encrypted binary into a list of UUID-formatted strings that look like ordinary identifier values to a scanner. Second, those UUID strings are embedded inside the loader executable using a Windows resource script, so the final program carries everything it needs with no separate DLL file on disk. Third, when the loader runs, it reads the embedded resource, parses the UUID strings back into bytes, decrypts the DLL, writes it to a temporary file in the Windows TEMP directory, injects it into a target process (the default is Notepad), and then deletes the temporary file. The injection itself uses standard Windows API calls: the loader opens the target process, allocates memory inside it, writes a DLL path, and starts a thread in the remote process that calls LoadLibraryW, telling the operating system to load the DLL. The UUID encoding and RC4 encryption layer is there to prevent static signature-based scanners from recognizing the DLL by its raw bytes. The README includes a list of planned changes the author intends to make: loading the DLL directly into memory without writing to disk, replacing RC4 with AES encryption, and adding a network connection to send results to a remote server rather than writing to a local file. Building requires MinGW-w64 or MSVC, the standard Windows SDK headers, and a four-step compile sequence described in the README. The project must be used only on systems the user owns or has explicit permission to test.
A Windows security research project demonstrating DLL injection using an RC4-encrypted, UUID-obfuscated payload embedded in the loader's resource section.
Mainly C. The stack also includes C, Windows API, MinGW-w64.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.