How does the technique achieve inter-process message passing between the loader and the injected DLL?

The loader creates two shared memory-mapped file objects using `CreateFileMapping` with security attributes that allow all access (since the injected DLL runs as SYSTEM). The loader writes the log file handle and the target `EventRecordID` into these shared memory regions. The injected DLL reads from the same mappings after injection, converting the string data to integers to obtain the parameters needed for deletion. This shared memory method avoids the parameter‑passing limitations of `CreateRemoteThread`.