DLL injection is method of injecting code to some other processe’ss address space and executing that piece of code on behalf of that process. Note that we need administrator privileges to carry out such an operation. DLL injection has gained bad name for itself since it’s mostly used by malware (remember meterpreter can also do this ? ) for stealth purposes but there is more to it than just stealth. To expand on this , I am going to quote this answer from Reverse Engineering Stack Exchange
DLL injection can be summarized in 4 setps
OpenProcess() with RWX (Read Write Execute) permissions to get handle to target process.
VirtualAllocEx() to allocate memory required to put our DLL. Think of this function like
WriteProcessMemory() to write out DLL into allocated space.
This is the final process . Create a remote thread in the target process with
CreateRemoteThread() using the address of the beginning of the DLL as the entry point to execute injected code.
Writing step by step on all these step would make this article too lengthy So , I am going to link some excellent write-up on how to perform injection in detail.
With all the newly gained knowledge , I am going to hack minesweeper by writing a simple bot to automatically play the game.
I am going to use Cheat Engine to automate process of injecting DLL instead of manually writing a injector because I’m lazy. For compiling DLL , I am going to use Visual Studio to compile DLL . Some familiarity with Win32 API is assumed. Further IDA Pro is used to reverse engineer minesweeper binary.I am using XP’s minesweeper. Get it from my Github VirusTotal
Let’s check if we can do ‘Hello world’ quickly.
Compile this code to DLL. It can easily be injected by Cheat Engine by
1) Open the target program , minesweeper.exe in this case
2) Open the process in Cheat Engine then from Memory View > Tools > Inject DLL. Then supply the targer DLL and you should see something like
We’re gonna use IDA Pro to find out what functions are available in the minesweeper binary for us to pivot to build the bot. Open the minesweeper.exe in IDA Pro and then click Functions to check list of functions
You can study what these functions do by setting up break points on these functions and then play the game to see when they are triggered. I studied one functions called StepSquare(x,x) located at address of 0x1003512 , It takes two parameter and jumps to square provided to it’s argument . This function will be used to step our bot throughout the it’s execution.
Now we that we know how to step forward in the game , we need to know where actual bombs are located to avoid stepping on it and complete the game.
Let’s start by fixing size of height and width to check where it is located in memory.
In minesweeper choose some game size say 17x19 from Game > Custom and then open the process in cheat engine.
Search for 17 in game memory from cheat engine we can some address
again chaining height to see 11 we can see how values change from 17 to 11 , now we are sure that height is located at address 0x1005338
Similarly we can find out width and it was 0x1005334 in my case.
Now let’s check out memory at address where width and height are located. After some observation and some trial & error I noticed something near these memory address.
Notice the highlighted memory space.
Memory location which store bomb or no bomb start at 0x0015341. You can see how value change when I click first tile as
These are the memory located which store if bomb is located a particular tile. 0F means no bomb while 8F means bomb.
Coding the bot is simple enough we just need to travel down the tile array and skip tile if it contains the bomb. For travelling we’re gonna use StepSquare(x,x). You can read here in detail on how to call function by its address.
and isBomb() can be defined as
You can see full source of the program here on Github
Testing is similar to the way we tested our ‘hello world’ DLL , on injcting this dll we get
You can try making a DLL injector yourself instead of relying on Cheat Engine for it. It’s not too hard and fairly easy to implement.
You can try to make hacks for other games , maybe Counter Strike 1.6? Global Offensive ? Only bottleneck with modern games is that they come with cheat protection , so it’s not easy like this to make cheats.