DLL injection

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library.^[1] DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.^[1][2][3] For example, the injected code could hook system function calls,^[4][5] or read the contents of password textboxes, which cannot be done the usual way.^[6] A program used to inject arbitrary code into arbitrary processes is called a DLL injector.
    
     It's not really known when the first DLL injection was introduced. However, today there are many possible types and uses for DLL injections. One of the basic uses is reading contents of a password text box to gain access to a computer user's private information. Most, if not all, of the uses for DLL injections are malicious in nature and potentially illegal. To help combat the problem, Microsoft introduced the "protected process" in Windows Vista, which is nearly immune to these DLL injections.

     
Normally when you load a DLL in Windows, you call LoadLibrary. LoadLibrary takes the file path of a DLL and loads it in to memory. In addition to the DLL being on disk, the DLL will show up when tools such as ListDLLs are used to enumerate the DLLs loaded in memory.
Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary function that supports this, so to get the functionality you have to write your own. One benefit to writing our own function is that we omit some of the things Windows normally does, such as registering the DLL as a loaded module in the process, which makes the reflective loader sneakier when being investigated. Meterpreter is an example of a tool which uses reflective loading to hide itself.