steful Posted March 18, 2018 Share Posted March 18, 2018 Manually mapping a DLL into memory basically emulates everything that LoadLibrary() does, it handles the section relocation, relative offsets and import resolving. This will bypass any detection based on hooking LoadLibrary or LdrLoadDLL. Also bypasses module detection via walking the module list in the Process Environment Block and PE header detection because we don't bother mapping the header into memory. Manually mapping is very helpful for bypassing anticheat detection but it only one part of the solution. Link to comment Share on other sites More sharing options...
Recommended Posts