DLL Injection Methods for Game Hacking

What Is DLL Injection and Why Does It Matter?

DLL injection is the process of forcing a running process (in this case, a game) to load and execute code from a Dynamic Link Library (DLL) that wasn't originally part of the program. Once your DLL is loaded inside the game's address space, your code runs with full access to the game's memory, functions, and rendering pipeline — as if it were part of the game itself.

This is the foundation of virtually every internal game cheat. External cheats read memory from outside the process, but internal cheats (via DLL injection) are faster, more powerful, and can hook game functions directly. Understanding injection methods is essential for any cheat developer.

Method 1: CreateRemoteThread + LoadLibrary

The simplest and most commonly taught injection method. It works by creating a new thread in the target process that calls LoadLibraryA() with the path to your DLL.

How It Works

1. Open the target process with OpenProcess(PROCESS_ALL_ACCESS, ...)
2. Allocate memory in the target process using VirtualAllocEx() — enough to store the full path to your DLL.
3. Write the DLL path to the allocated memory using WriteProcessMemory().
4. Get the address of LoadLibraryA in kernel32.dll using GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"). Since kernel32.dll is loaded at the same address in all processes (due to ASLR being consistent per boot for system DLLs), this address is valid in the target process.
5. Create a remote thread using CreateRemoteThread() with the start address set to LoadLibraryA and the parameter set to the address of your DLL path string in the target's memory.
6. The remote thread executes LoadLibraryA("C:\path\to\your.dll"), which loads your DLL and calls its DllMain() entry point with DLL_PROCESS_ATTACH.

Advantages

• Simple to implement (50-100 lines of C++)
• Reliable on most Windows versions
• Great for learning and prototyping
• DLL appears in the module list, which simplifies debugging during development

Disadvantages

• Easily detected: Anti-cheats hook CreateRemoteThread, monitor LoadLibrary calls, and scan the loaded module list. Your DLL will appear in tools like Process Explorer.
• DLL file must exist on disk: The file path is written to the target process. Anti-cheats scan the disk for known cheat DLLs.
• Not suitable for any game with a serious anti-cheat (EAC, BattlEye, Vanguard, Ricochet)

Use Case

Learning, prototyping, or targeting games with no anti-cheat. Not viable for production cheats against protected games.

Method 2: Manual Mapping

Manual mapping is the go-to injection method for production cheats. Instead of using Windows' DLL loader (LoadLibrary), you manually perform every step of loading the DLL into the target process. The result: your DLL exists in the game's memory but doesn't appear in any module list because Windows doesn't know about it.

How It Works

1. Read your DLL file into a local buffer.
2. Parse the PE (Portable Executable) headers of your DLL to understand its structure: sections, imports, relocations, TLS callbacks, etc.
3. Allocate memory in the target process at the DLL's preferred base address (or any available address if the preferred one is taken).
4. Copy the PE sections (code, data, resources) to the correct offsets in the allocated memory.
5. Process relocations: If the DLL was loaded at a different base address than preferred, adjust all absolute addresses in the code and data sections. The relocation table in the PE header tells you which addresses to fix.
6. Resolve imports: Your DLL imports functions from other DLLs (kernel32, user32, etc.). For each import, find the actual function address and write it to the Import Address Table (IAT).
7. Process TLS (Thread Local Storage) callbacks if any exist.
8. Call DllMain with DLL_PROCESS_ATTACH by creating a thread at the DllMain address (or using a shellcode stub that calls it).
9. Erase the PE headers from the target's memory to prevent anti-cheats from scanning them.

Advantages

• DLL doesn't appear in the PEB (Process Environment Block) module list
• No LoadLibrary call to hook or monitor
• PE headers can be erased after loading, making memory scans harder
• DLL doesn't need to exist on disk at injection time (can be encrypted/embedded in the loader)
• Industry standard for serious cheats

Disadvantages

• Significantly more complex to implement (500-1500+ lines of C++)
• Bugs in relocation or import resolution cause hard-to-debug crashes
• Still detectable through memory scanning patterns and the thread creation needed to call DllMain
• Exception handling (SEH/VEH) requires additional setup since Windows doesn't know about your module

Implementation Tips

• Use existing open-source manual mapping libraries (like Blackbone) as reference implementations
• Test thoroughly with simple DLLs before attempting to map complex cheats
• Handle both 32-bit and 64-bit PE formats if you support multiple game architectures
• Implement proper error handling — a failed mapping should clean up allocated memory

Method 3: Thread Hijacking

Instead of creating a new thread (which anti-cheats monitor), thread hijacking takes over an existing thread in the target process and redirects its execution to your injection code.

How It Works

1. Find a suitable thread in the target process using CreateToolhelp32Snapshot and Thread32First/Next.
2. Suspend the thread using SuspendThread().
3. Get the thread context (register state) using GetThreadContext(). Save the instruction pointer (RIP on x64).
4. Write shellcode to the target process that performs your injection (either LoadLibrary or manual mapping setup).
5. Modify the instruction pointer to point to your shellcode using SetThreadContext().
6. Resume the thread using ResumeThread(). The thread now executes your shellcode.
7. Your shellcode performs the injection, then jumps back to the original instruction pointer to resume normal execution.

Advantages

• No new thread creation — avoids CreateRemoteThread detection
• Can be combined with manual mapping for a stealthier overall injection
• The hijacked thread already has a legitimate call stack

Disadvantages

• More complex than basic injection methods
• Risk of crashing the game if the thread is suspended at a bad time (e.g., holding a lock)
• Anti-cheats can monitor SuspendThread and SetThreadContext calls

Method 4: Kernel-Level Injection

For games protected by kernel-level anti-cheats, you need to inject from the kernel. This typically involves writing a kernel driver that performs the injection from ring 0, bypassing user-mode monitoring entirely.

Approaches

• Mapping memory from kernel: Use kernel APIs (ZwMapViewOfSection, MmCopyVirtualMemory) to write your DLL into the game process from kernel space.
• APC (Asynchronous Procedure Call) injection: Queue a kernel APC on a game thread that executes your loader shellcode. This runs in the context of the game process without CreateRemoteThread.
• Vulnerable driver exploitation: Use a signed but vulnerable driver (like certain older Intel or Gigabyte drivers) to gain kernel read/write access. This avoids writing your own driver (which requires signing or disabling driver signature enforcement).

Advantages

• Bypasses all user-mode anti-cheat monitoring
• Can read/write memory without using standard Windows APIs
• The injection process itself is invisible to user-mode anti-cheat components

Disadvantages

• Extremely complex — requires deep knowledge of Windows kernel internals
• Bugs cause BSODs (Blue Screen of Death), not just crashes
• Driver signing requirements (DSE) must be bypassed
• Kernel-level anti-cheats (EAC, BattlEye) also run in kernel space and can detect kernel-based injections
• Potential legal and ethical implications of exploiting driver vulnerabilities

Method 5: Reflective DLL Injection

A variation of manual mapping where the DLL contains its own loader — a special exported function that, when called, maps the rest of the DLL into memory. The injector only needs to write the DLL to target memory and call the reflective loader function.

Key Difference from Manual Mapping

In standard manual mapping, the injector does all the PE loading work externally. In reflective injection, the DLL loads itself. This means the complex PE parsing and loading code runs inside the target process, reducing the injector's complexity and the number of cross-process operations needed.

Advantages

• Fewer cross-process API calls (less detectable)
• The DLL is self-contained — easier to distribute and update
• Well-documented technique with reference implementations (Stephen Fewer's original ReflectiveDLLInjection)

Choosing the Right Method

Your choice depends on your target:

• No anti-cheat (practice/learning): CreateRemoteThread + LoadLibrary
• Basic anti-cheat: Manual mapping with header erasure
• Moderate anti-cheat (EAC/BattlEye user-mode): Manual mapping + thread hijacking
• Aggressive anti-cheat (Vanguard, kernel-level EAC/BE): Kernel-level injection via vulnerable driver or custom signed driver

Common Pitfalls

• Not handling relocations properly: Causes crashes from invalid pointers. Double-check your relocation processing code.
• Missing imports: If your DLL imports a function that isn't resolved, calling it crashes the game. Log all unresolved imports during testing.
• Memory protection: After writing code sections, set proper page protections (PAGE_EXECUTE_READ for code, PAGE_READWRITE for data). Incorrect protections cause access violations.
• Timing issues: Injecting too early (before the game is fully loaded) or too late (after the anti-cheat is initialized) causes failures. Profile the game's startup sequence to find the right injection window.
• Leaving traces: Allocated memory, modified threads, and open handles all leave evidence. Clean up after injection.

Conclusion

DLL injection is the gateway skill for internal cheat development. Start with CreateRemoteThread for learning, move to manual mapping for real projects, and tackle kernel-level injection when you're ready to bypass serious anti-cheats. Each method builds on the concepts of the previous one. Master the fundamentals — PE format, memory management, thread execution — and you'll be able to adapt to any anti-cheat challenge.