Tutorial What is DLL hijacking ? fast explanation

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
847
23,408
114
Game Name
N/A
Anticheat
N/A
Coding Language
c++
What you need
c++ knowledge
Hi there,
maybe you heared sometime about dll hijacking and you want to know more about it, so you are at right place !
Basically its injecting dll without injector lol. Every process is loading some dlls - if we know which one (its pretty easy to find out) than you can hijack it, the process will think that is loading the original dll but loads yours one. In your hacked dll you will load the original dll and than do the internal hack. But how to persuade the victim process to load your hacked one instead of original one? well thats super easy and you need only file manager for it eg windows explorer. Normally dlls are loaded from windows directory. But do you remeber how to fix "Error ... dll is missing from your computer" ? yes! you just place your hack dll in same directory as is .exe of your target. It works because window applications are designed to look firstly for dlls in their directory and if not found than in system directory. This "injecting" method is good for lazy people (like me) and processes that has no anticheat or antireverse because this is old exploit and common anticheats easily detects it. (it was also popular method for malwares in 90s)
I choose dsound.dll to hijack because it is commonly used by d3d games and only exports like 12 functions. (your hack dll have to export same functions as original dll and when you load original dll than you have to redirect all traffic from your exported functions to original one)
Now paste this header:
dsound.h:
#pragma once
#include <Windows.h> //we need this

//define the original functions from original dsound.dll
typedef HRESULT(WINAPI* fn_DirectSoundCreate)(LPCGUID, LPVOID*, LPUNKNOWN);
typedef HRESULT(WINAPI* fn_DirectSoundEnumerateA)(LPVOID, LPVOID);
typedef HRESULT(WINAPI* fn_DirectSoundEnumerateW)(LPVOID, LPVOID);
typedef HRESULT(WINAPI* fn_DllCanUnloadNow)();
typedef    HRESULT(WINAPI* fn_DllGetClassObject)(IID*, IID*, LPVOID*);
typedef HRESULT(WINAPI* fn_DirectSoundCaptureCreate)(LPCGUID, LPVOID*, LPUNKNOWN);
typedef HRESULT(WINAPI* fn_DirectSoundCaptureEnumerateA)(LPVOID, LPVOID);
typedef HRESULT(WINAPI* fn_DirectSoundCaptureEnumerateW)(LPVOID, LPVOID);
typedef HRESULT(WINAPI* fn_GetDeviceID)(LPCGUID, LPGUID);
typedef HRESULT(WINAPI* fn_DirectSoundFullDuplexCreate)(LPCGUID, LPCGUID, LPVOID, LPVOID, HWND, DWORD, LPVOID*, LPVOID*, LPVOID*, LPUNKNOWN);
typedef HRESULT(WINAPI* fn_DirectSoundCreate8)(LPCGUID, LPVOID*, LPUNKNOWN);
typedef HRESULT(WINAPI* fn_DirectSoundCaptureCreate8)(LPCGUID, LPVOID*, LPUNKNOWN);

//here will be stored ptrs to orig functions - used to redirect from our funcs to orig one
fn_DirectSoundCreate p_DirectSoundCreate;
fn_DirectSoundEnumerateA p_DirectSoundEnumerateA;
fn_DirectSoundEnumerateW p_DirectSoundEnumerateW;
fn_DllCanUnloadNow p_DllCanUnloadNow;
fn_DllGetClassObject p_DllGetClassObject;
fn_DirectSoundCaptureCreate p_DirectSoundCaptureCreate;
fn_DirectSoundCaptureEnumerateA p_DirectSoundCaptureEnumerateA;
fn_DirectSoundCaptureEnumerateW p_DirectSoundCaptureEnumerateW;
fn_GetDeviceID p_GetDeviceID;
fn_DirectSoundFullDuplexCreate p_DirectSoundFullDuplexCreate;
fn_DirectSoundCreate8 p_DirectSoundCreate8;
fn_DirectSoundCaptureCreate8 p_DirectSoundCaptureCreate8;

//important: if you dont do this than mostlikely your process will crash
bool load_original_dsound(void) {

    char path[MAX_PATH];
    HMODULE dsound;

    if (!::GetSystemDirectoryA(path, MAX_PATH)) //obtain system directory, often C:\Windows\System32
        return false;

    ::strcat(path, "\\dsound.dll");
    dsound = ::LoadLibraryA(path);  //load original dsound.dll

    if (!dsound)
        return false;

    //get all procedures from original dsound.dll so we can export them as 'our'
    p_DirectSoundCreate = (fn_DirectSoundCreate)::GetProcAddress(dsound, "DirectSoundCreate");
    p_DirectSoundEnumerateA = (fn_DirectSoundEnumerateA)::GetProcAddress(dsound, "DirectSoundEnumerateA");
    p_DirectSoundEnumerateW = (fn_DirectSoundEnumerateW)::GetProcAddress(dsound, "DirectSoundEnumerateW");
    p_DllCanUnloadNow = (fn_DllCanUnloadNow)::GetProcAddress(dsound, "DllCanUnloadNow");
    p_DllGetClassObject = (fn_DllGetClassObject)::GetProcAddress(dsound, "DllGetClassObject");
    p_DirectSoundCaptureCreate = (fn_DirectSoundCaptureCreate)::GetProcAddress(dsound, "DirectSoundCaptureCreate");
    p_DirectSoundCaptureEnumerateA = (fn_DirectSoundCaptureEnumerateA)::GetProcAddress(dsound, "DirectSoundCaptureEnumerateA");
    p_DirectSoundCaptureEnumerateW = (fn_DirectSoundCaptureEnumerateW)::GetProcAddress(dsound, "DirectSoundCaptureEnumerateW");
    p_GetDeviceID = (fn_GetDeviceID)::GetProcAddress(dsound, "GetDeviceID");
    p_DirectSoundFullDuplexCreate = (fn_DirectSoundFullDuplexCreate)::GetProcAddress(dsound, "DirectSoundFullDuplexCreate");
    p_DirectSoundCreate8 = (fn_DirectSoundCreate8)::GetProcAddress(dsound, "DirectSoundCreate8");
    p_DirectSoundCaptureCreate8 = (fn_DirectSoundCaptureCreate8)::GetProcAddress(dsound, "DirectSoundCaptureCreate8");

    //just to make sure that everyting went ok
    if (p_DirectSoundCreate && p_DirectSoundEnumerateA && p_DirectSoundEnumerateW && p_DllCanUnloadNow && p_DllGetClassObject && p_DirectSoundCaptureCreate
        && p_DirectSoundCaptureEnumerateA && p_DirectSoundCaptureEnumerateW && p_GetDeviceID && p_DirectSoundFullDuplexCreate && p_DirectSoundCreate8 && p_DirectSoundCaptureCreate8)
        return true;
    else
        return false;
}

//we are exporting same functions like original dsound.dll so when we are called it directly jumps to orig dll funcs

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCreate(LPCGUID pcGuidDevice, LPVOID* ppDS, LPUNKNOWN pUnkOuter) {
    return p_DirectSoundCreate(pcGuidDevice, ppDS, pUnkOuter);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundEnumerateA(LPVOID pDSEnumCallback, LPVOID pContext) {
    return p_DirectSoundEnumerateA(pDSEnumCallback, pContext);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundEnumerateW(LPVOID pDSEnumCallback, LPVOID pContext) {
    return p_DirectSoundEnumerateW(pDSEnumCallback, pContext);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DllCanUnloadNow(LPVOID pNothing) {
    return p_DllCanUnloadNow(); //the visual studio bug, DllCanUnloadNow must have one parameter but we dont take it
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DllGetClassObject(IID* rclsid, IID* riid, LPVOID* ppv) {
    return p_DllGetClassObject(rclsid, riid, ppv);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCaptureCreate(LPCGUID pcGuidDevice, LPVOID* ppDSC, LPUNKNOWN pUnkOuter) {
    return p_DirectSoundCaptureCreate(pcGuidDevice, ppDSC, pUnkOuter);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCaptureEnumerateA(LPVOID pDSEnumCallback, LPVOID pContext) {
    return p_DirectSoundCaptureEnumerateA(pDSEnumCallback, pContext);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCaptureEnumerateW(LPVOID pDSEnumCallback, LPVOID pContext) {
    return p_DirectSoundCaptureEnumerateW(pDSEnumCallback, pContext);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT GetDeviceID(LPCGUID pGuidSrc, LPGUID pGuidDest) {
    return p_GetDeviceID(pGuidSrc, pGuidDest);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundFullDuplexCreate(LPCGUID pcGuidCaptureDevice, LPCGUID pcGuidRenderDevice, LPVOID pcDSCBufferDesc, LPVOID pcDSBufferDesc, HWND hWnd,
    DWORD dwLevel, LPVOID* ppDSFD, LPVOID* ppDSCBuffer8, LPVOID* ppDSBuffer8, LPUNKNOWN pUnkOuter) {
    return p_DirectSoundFullDuplexCreate(pcGuidCaptureDevice, pcGuidRenderDevice, pcDSCBufferDesc, pcDSBufferDesc, hWnd, dwLevel, ppDSFD, ppDSCBuffer8, ppDSBuffer8, pUnkOuter);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCreate8(LPCGUID pcGuidDevice, LPVOID* ppDS8, LPUNKNOWN pUnkOuter) {
    return p_DirectSoundCreate8(pcGuidDevice, ppDS8, pUnkOuter);
}

HRESULT __MIDL_DECLSPEC_DLLEXPORT DirectSoundCaptureCreate8(LPCGUID pcGuidDevice, LPVOID* ppDSC8, LPUNKNOWN pUnkOuter) {
    return p_DirectSoundCaptureCreate8(pcGuidDevice, ppDSC8, pUnkOuter);
}
How to use:
in your dll main:
BOOLEAN WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) {

    if (dwReason != DLL_PROCESS_ATTACH) //if we arent attaching there is nothing to do
        return TRUE;

    if (!load_original_dsound()) //if this fails you are in trouble
        return FALSE;

    do_the_hack_that_you_want_to_do(); //whatever, you are now internal without injector :)
   
    return TRUE;
}
i hope it helped you :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods