How To Inject a DLL Tutorial feat. the GH Injector v2.4

Channel:

Guided Hacking

Subscribers:

180,000

Published on December 13, 2017 2:35:01 AM ● Video Link: https://www.youtube.com/watch?v=zhA9kSCY3Ec

Game:

Counter-Strike 2 (2023)

Category:

Tutorial

Duration: 17:23

105,349 views

541

How to Inject a DLL using the Guided Hacking injector made by Broihon, an explanation of it's features and the different injection methods it utilizes. This is a replacement for a older outdated video.

https://guidedhacking.com/resources/guided-hacking-dll-injector.4/
https://undocumented.ntinternals.net/
https://www.autoitscript.com/site/autoit/downloads/

The GH injector has 3 DLL loading methods and 4 techniques to launch these methods. Each one offers different methods of bypassing anticheat detection.

First I'll start by explaining how most dll injectors work
The most basic DLL injector works by
Using WriteProcessMemory to write the DLL path to memory
Calling CreateRemoteThread() which creates a new thread in the target process
Inside this new thread you call LoadLibrary() and it loads the DLL into memory
Then your code in your DLL starts executing

CreateRemoteThread does not allow a user process in one session inject into a system or otherwise different session.
If you want to inject into a system process or a process in a different session you need to use NtCreateThreadEx
NtCreateThreadEx doesn't care about the process session

LoadLibrary() Tells the OS to load a .dll into memory, it's just one function call nice and easy.
Now what if an anticheat hooks LoadLibrary to detect you?

Let's take a step back and explain a little bit of Windows Internals

It exported by kernel32.dll, Kernel32 exposes your process to the Win32 API.
These are the documented functions that Microsoft wants you to use.

LoadLibrary is kind of just wrapper that calls LdrLoadDLL in the behind the scenes

LdrLoadDll() is exposed by ntdll.dll which represents the Windows Native API which are a collection a undocumented function you can't find on MSDN
But they've been thoroughly reversed, ntinternals.net is a great site to use

This is your first option to use if LoadLibrary is hooked/detected by anticheat/antidebug
Using this method, you basically are bypassing LoadLibrary

ManualMap
This manually maps the DLL into memory, basically emulating everything that LoadLibrary does. It handles the section relocations, relative offsets and import resolving
This will bypass any detections based on hooking LoadLibary or LdrLoadDLL.
Also bypasses module detection via walking the module list in the Process Environment Block

Lets go back to the 4 techniques to start executing our code in the target process
NtCreateThreadEx creates a thread in the target process, now what if the anticheat is watching for new thread creation?
The next thing you could try is Thread Hijacking.

Thread Hijacking
You create some shell code with the DLL path in it and Write it to memory using WriteProcessMemory into some newly allocated memory space in the target process
You find a running thread, suspend it, get the thread context, Set thread context and then resume the thread which now will execute our shellcode we injected

SetWindowsHookEx

Post Injection
default = Keep Process Header
Erase Process Header - bypass detection of module via it's header
Fake Process Header -

Unlink from Process Environment Block - anticheats that walk the module list in the PEB won't find your module

Shift Module - Shifts the location of the module in memory, typically when you allocate memory for your DLL it's in a 4kb aligned page of memory.
Anticheats can easily scan every page of memory and check for unknown PE headers at the first byte, using Shift Module will hide from that
In most cases erasing the PE header is better

In this How To Inject a DLL Tutorial you will cover the key and fundamental concepts to thread hijacking and and dll injection.

In this how to inject a dll tutorial you will benefit form developing a guided hacking injector. Dll injection is a process of writing to a processes memory and calling a remote thread which creates a thread in our targets process. Once inside the thread you can load the dll into memory, then the code within the dll will start executing.

Using advance Windows API functions such as, CreateRemoteThread(), WriteProcessMemory(), LoadLibrary(), ReadProcessMemory(), NtCreateThreadEx(), and ResumeThread() you will have key and fundamental understating of memory mapping and low level Windows architecture. Learning about low level Windows architecture is key in becoming a great hacker and especially a great games hacker. You will learn all of this using a gh injector. Once you've made this guided hacking injector you can on to create even more advanced concepts in dll injection.

In this how to inject a dll tutorial you will learn the following:

. How to create a dll injector
. How to create and use the guided hacking injector
. Thread hijacking
. Manual mapping
. Elite and advance Windows API functions

https://guidedhacking.com

Other Statistics