How to inject DLL from memory stream WITHOUT manual mapping (question)

[TheNoobie]

Well the title pretty much says it all. I'm looking for a method of injecting a DLL directly from a memory stream into a remote process WITHOUT using manual mapping. I have decided to stop using manual mapping for a variety of reasons and I'm looking for an equally safe alternative. Please move this if it's not in the right location, I think it may be better suited in the programming section.

[TheNoobie]

Just to be clear in case it confuses anyone, it doesn't really matter whether or not it's from a memory stream. The point is I want to be able to take an array of bytes and inject into a remote process in a similar way as manual mapping but with a different method. I get the weirdest bugs with manual mapping such as linking certain libraries crashes, using strings causes a C Runtime error, memory leaks, many other random crashes / bugs. I tried heavily modifying Darawk's code but I am just not skilled enough with C++ windows programming to create a bug free, nearly perfect version of manual mapping at the moment. I seriously doubt that anyone will have an answer to my question as I've searched long and hard for a solution but I figure it's worth a shot asking the MMOwned community.

[Cypher]

Manual mapping is the process of loading a DLL without using the Windows PE loader. That is, you have to do everything yourself, and if you're (as you say) not an expert you're unlikely to be able to do it correctly. Heck, even when you're an expert it's still very hard to get it 100% right.

I'm a little confused by your question though. You say you want to inject directly from a byte array in memory, but that you DON'T want to manually map. If you want to use the Windows PE loader then you need to write your data out to disk, then call LoadLibrary. If you DON'T want to use the Windows PE loader then your only option is to manually map!

Perhaps I'm missing your point, but your question seems to answer itself.

P.S. I have written a much more stable and powerful manual mapper than the original version Darawk wrote, but it's currently unmaintained. You can dig it up from Misc/Backups in HadesMem if you wish though, it shouldn't be too hard to update/port. There are still quite a few issues with my implementation, but at least you can use exceptions, the STL, the C runtime, floating point code, TLS, etc without it crashing and burning.

[TheNoobie]

Thank you very much Cypher that is a huge help. I was already pretty sure the only way to do what I was talking about would be to manually map, but given the fact that I am fairly new to Windows programming I thought I would ask if there was a more reliable method. I am glad that I did though, thanks a lot for that - it looks like you truly put a lot of time into it.

[Cypher]

Once I finish my rewrite of the rest of HadesMem I'm going to have another attempt at a manual mapper, there are more bugs I want to fix and more features I want to support. Eventually I'd like to get it to the point where a manually mapped DLL is nearly indistinguishable from one loaded by the PE loader, but I think that's a long way off, at least for the time being.

I need to reverse engineer the exception dispatching mechanism under x64, as well as the more obscure/undocumented parts of the PE loader to try and emulate some of its 'quirks'.