[redthrowaway]

>Windows has this thing called Create Remote Thread. Basically, the semantics of Create Remote Thread are: You’re a process, I’m a different process. I call you and say “Hey! I have this bit of code. I’d really like it if you’d run this.” You’d say, “Sure,” because you’re a Windows process– you’re all hippie-like and free love. Windows processes, by the way, are insanely promiscuous. So! We would call a bunch of processes, hand them all a gob of code, and they would all run it.

I...wait, what? Did Windows actually used to be that bad?

[21]

This still exists, and it's used by lots of extensions.

But you can only inject DLLs (this is how it's called) if your process already has some admin rights and if the other process is not of a higher integrity.

[chadzawistowski]

I still use this, and authored a tool to inject the .Net runtime and run arbitrary C# code! https://github.com/ChadSki/SharpNeedle

[jahewson]

Well, the remote process has to have been launched with the appropriate permissions to allow remote threads. Also the remote thread can only run code which already exists in the remote process, though one common trick is to call LoadLibrary to inject a custom DLL.

[nickpsecurity]

Look up the Shatter Attack.