Manual Map Injection: How Cheats Hide from Anti-Cheat

🔧 What Is Manual Map Injection?

Manual map injection is the most common technique used by modern game cheats to load code into a game process without detection. Unlike standard DLL injection (LoadLibrary), manual mapping copies a DLL into memory manually, resolves its imports, and executes it — all without registering it in any Windows data structures that anti-cheat systems check.

📚 How Normal DLL Loading Works

When Windows calls LoadLibrary("cheat.dll"), it performs these steps:

1. Opens the file from disk and reads PE (Portable Executable) headers
2. Allocates memory in the target process at the preferred base address
3. Copies sections (.text, .data, .rdata) to correct memory locations
4. Processes relocations if the DLL couldn't load at preferred address
5. Resolves imports — links function calls to correct addresses
6. Calls DllMain with DLL_PROCESS_ATTACH
7. Registers the DLL in the PEB (Process Environment Block) module list

Step 7 is the killer. The PEB's module lists contain entries for every legitimately loaded DLL. Anti-cheats enumerate these lists. A cheat DLL appearing here is immediately detected.

🗺️ How Manual Mapping Differs

Manual mapping performs steps 1-6 manually and completely skips step 7. The DLL runs in memory but doesn't appear in any tracking structures.

Step-by-Step Process

1. Read the PE file: Parse DOS header, NT headers, section headers, and data directories from the DLL file or encrypted buffer.
2. Allocate memory: Using VirtualAllocEx (or NtAllocateVirtualMemory for stealth), allocate memory in the game process with PAGE_EXECUTE_READWRITE.
3. Copy PE sections: Each section (.text, .data, .rdata, .rsrc) copied to correct relative offset using WriteProcessMemory.
4. Process base relocations: Adjust addresses by the delta between preferred and actual base. Simple pointer arithmetic for each relocation entry.
5. Resolve imports: Walk export tables of already-loaded system DLLs to find each imported function address.
6. Handle TLS callbacks: Initialize Thread Local Storage data if the DLL uses it.
7. Call the entry point: Create a remote thread (or hijack existing one) to call DllMain with DLL_PROCESS_ATTACH.
8. Clean up headers: Zero out PE headers to prevent memory scanners from finding them.

🛡️ Anti-Cheat Countermeasures

Memory Region Scanning

Anti-cheats scan for suspicious allocations — large PAGE_EXECUTE_READWRITE blocks not corresponding to known modules. Counter: Set proper page permissions after mapping and match expected allocation patterns.

Thread Start Address Verification

New thread start addresses should point inside legitimate modules. Counter: Thread hijacking — suspend existing game thread, modify context to run cheat init, resume. No new thread created.

API Hook Detection

Anti-cheats hook VirtualAllocEx, WriteProcessMemory, NtCreateThreadEx. Counter: Direct syscalls — invoke NT syscall instructions directly, bypassing user-mode hooks.

PE Header Scanning

Even with headers zeroed, anti-cheats scan for PE artifacts. Counter: Complete header destruction and section shuffling.

🔬 Advanced Techniques

Kernel-Mode Manual Mapping

The entire manual map from ring-0 using a vulnerable signed driver. User-mode anti-cheat cannot monitor kernel memory APIs.

Memory-Only Loading

No disk artifact — cheat downloaded encrypted from remote server, embedded encrypted in loader, or streamed section-by-section. Eliminates disk-based scanning.

Reflective DLL Injection

The DLL contains its own loader code and maps itself from a tiny shellcode bootstrap stub.

Module Stomping / DLL Hollowing

1. Load a legitimate DLL roughly the same size as the cheat
2. Overwrite its code sections with cheat code
3. The cheat lives in memory registered to a legitimate module

Extremely stealthy — PEB entry exists pointing to a real module name. Anti-cheat must compare in-memory code against on-disk file to detect this.

⚠️ Common Failures

• Missing import resolution: Crashes when calling unfound functions
• Relocation errors: Random crashes from invalid pointers
• TLS not handled: Crashes with thread_local variables
• Exception handling broken: SEH/C++ exceptions fail without OS registration
• Security cookie failures: MSVC /GS protection requires cookie initialization

Manual map injection remains the backbone of modern cheat loading. The quality of the loader is often just as important as the cheat itself.