[MISC] C++ LoadLibrary DLL Injector.

I am once again bringing some C++ education to the community (for the love of god don't skid from these tutorials please actually learn and ask me questions on my discord exprssn#9999).

Last time we talked about vectored exception handlers, today we'll be talking about DLL Injectors.

A DLL Injector is exactly what it sounds like, it injects a DLL (dynamically linked library) into a process.

Once a dll is injected into a process it then has direct access to that process's memory, which is why internal cheats (when you hear someone say "internal cheat" they're saying the cheat is a dll injected into a process) are faster than external cheats, but more easily detectable.

Internal cheats are used for most cases as it is much faster than external cheats, easier to edit memory and requires less work (it may often require more work if you're planning on making a undetected dll cheat against a good anti cheat but ignore that for now)

One of the methods of DLL injecting (also the easiest) is called LoadLibrary DLL injection, it utilizes the LoadLibrary function to load our dll into memory (you may often hear people say load our module into memory) which allows our dll to execute what it's supposed to execute.

#include <iostream>
#include <Windows.h>

int main()
{

	HWND window_handle{ nullptr };
	DWORD proc_id{ 0 };
	SIZE_T read_bytes{ 0 };

	const auto dll_path = "our dll path";
	std::cout << "waiting for the window of our target.\n";

	do
	{
		window_handle = FindWindowA(nullptr, "victim");
		Sleep(250);
	} while(!window_handle);

	std::cout << "found target window.\n";
	GetWindowThreadProcessId(window_handle, &proc_id);

	const auto proc_handle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, proc_id);
	const auto dll_path_mem = VirtualAllocEx(proc_handle, nullptr, strlen(dll_path), MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	WriteProcessMemory(proc_handle, dll_path_mem, dll_path, strlen(dll_path), &read_bytes);
	CreateRemoteThread(proc_handle, nullptr, 0, reinterpret_cast<PTHREAD_START_ROUTINE>(&LoadLibraryA), dll_path_mem, 0, nullptr);

	CloseHandle(proc_handle);

	std::cout << "Injected into process id: " << proc_id;
	std::cin.get();
	return 0;
}

So what's happening here? In order to actually inject into a process, we need to find the process, this is done by finding the window and getting a handle to it, then getting the process id of the process that has that window, and then elevating our permissions in order to be able to allocate memory for our dll path and to write our dll path to that memory.

In order to call LoadLibrary we can't actually just call it in our code as that would load into our process not the target process. To call LoadLibrary in the target process we first need to save our dll path in the target process's memory so that we can pass it to LoadLibrary and call it, once we have done that we can then proceed to call loadlibrary using createremotethread. We use createremotethread to create a remote thread at loadlibrary's address with our dll path as an argument. 

Thank you for reading if you have any questions leave them down below.