LoadLibraryW doesn't work while LoadLibraryA does the job

Question

I have written some sample program and DLL to learn the concept of DLL injection.

My injection code to inject the DLL to the sample program is as follows (error handling omitted):

std::wstring dll(L"D:\\Path\\to\\my\\DLL.dll");
LPTHREAD_START_ROUTINE pLoadLibraryW = 
    (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
int bytesNeeded = WideCharToMultiByte(CP_UTF8, 0, dll.c_str(), dll.length(), 
    NULL, 0, NULL, NULL);
std::vector<byte> dllName(bytesNeeded);
WideCharToMultiByte(CP_UTF8, 0, dll.c_str(), dll.length(), 
    (LPSTR)&dllName[0], bytesNeeded, NULL, NULL);
// Memory is a class written by me to simplify memory processes. 
// Constructor takes desired permissions.
Memory mem (pid, false, true, false, true, false, false, false, 
    false, false, true, true, true, false);
// Ensures deletion of the allocated range.
// true / true / false = read and write access, no execute permissions
std::tr1::shared_ptr<void> allocated = 
    mem.AllocateBytes(dllName.size(), true, true, false);
mem.WriteBytes((unsigned int)allocated.get(), dllName);
mem.CreateThread(pLoadLibraryW, allocated.get());

Memory::CreateThread is as follows:

void Memory::CreateThread(LPTHREAD_START_ROUTINE address, LPVOID parameter) const {
    std::tr1::shared_ptr<void> hThread(CreateRemoteThread(m_hProcess.get(), 
        NULL, 0, address, parameter, 0, NULL), CloseHandle);
    if (hThread.get() == NULL) {
        throw std::runtime_error("Memory::CreateThread: CreateRemoteThread failed");
    }
    DWORD returned = WaitForSingleObject(hThread.get(), INFINITE);
    if (returned != WAIT_OBJECT_0) {
        throw std::runtime_error("Memory::CreateThread: The remote thread did not complete properly");
    }
}

The problem is, that the module isn't loaded. However, when I change the second line to

LPTHREAD_START_ROUTINE pLoadLibraryW =
    (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA");

it works (since the test dll has no unicode characters in it's name).

How to make it work with LoadLibraryW?

Answer 1

I'm not sure why you are creating a thread and passing it the address of the LoadLibraryW function. Wouldn't it be easier and safer to call LoadLibraryW directly?

Either way, you certainly don't need to make any WideCharToMultiByte calls. LoadLibraryW expects a wide character module name.

Is there any reason why you can't just do this?

HMODULE hLibHandle = LoadLibraryW( L"D:\\Path\\to\\my\\DLL.dll" );

Answer 2

HMODULE WINAPI LoadLibrary(
  __in  LPCTSTR lpFileName
);

It takes a TCHAR -- so the argument for LoadLibraryW has to be a wide string; the code above passes the multi-byte form of the argument, which is the form that LoadLibraryA wants.