This is an injector abusing the implementation of certain features in Windows operating system to make your dll / injection hard to detect by anti-cheats. It will map your image in a special way that makes the memory pages invisible to Windows APIs, not debuggable from user-mode and execute it without creating or interfering with execution of a thread.
It does not require a DSE/PG disabled session, a kernel driver running after initialization or a handle. Implementation details and source code can be found both below and at my blog: blog.can.ac/2018/05/02/makin…ation-and-cow/.
It has a few detection vectors but it is very simple to turn this into an excellent project if you understand how it works.
pInjector.exe ProcessName.exe “dll path” (flags if appropriate)
NoLoadLib – Uses GetModuleHandleA instead of LoadLibraryA
WaitKey – Waits for F2 key before injecting instead of injecting instantly when the process launches
– SEH ( and it cannot be either as this memory region does not seem like a valid one to Windows )
– Import mapping
– Any other cancerous PE details
I have only tested it for Windows 7 and Windows 10. When the target process dies / injection fails, use the F1 key to abort injection instead of closing the pInjector directly as it will leave a permanent mark on current session’s kernel32 if you do not close it properly after the waiting for threads phase.