Listen Schedule DJ Match
Blog Newsletter Zines
Who Are We? Staff Directory Station History
Intern Program Make a Donation Music Submission
USC's Independent Student Radio

Undetected Dll Injector

An undetected injector is not a magical piece of code—it is an injector that operates below the detection thresholds of current security products. Achieving this requires four layers of stealth: static evasion, dynamic evasion, bypassing user-mode hooks, and kernel-land stealth.

The use case defines the legality and ethics of the tool.

Disclaimer: This is for educational purposes only. Do not use this to violate game terms or laws.

A bare-minimum undetected injector using direct syscalls would follow this pseudo-logic:

// 1. Obtain the SSN (System Service Number) for NtCreateThreadEx at runtime
// (Because SSNs change with Windows patches).

// 2. Define the syscall function prototype
typedef NTSTATUS(NTAPI* pNtCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ProcessHandle,
PVOID StartRoutine,   // Points to LoadLibraryA
PVOID Argument,       // Path to DLL
ULONG CreateFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
PPS_ATTRIBUTE_LIST AttributeList
); undetected dll injector


// 3. Manually invoke the syscall without touching ntdll.dll
// This requires assembly stubs that move the SSN into EAX and emit 'syscall'.


// 4. Allocate memory in target process using NtAllocateVirtualMemory (syscall)
// 5. Write the DLL path into that memory
// 6. Call NtCreateThreadEx (via syscall) pointing to the real LoadLibraryA address

Even this can be detected by kernel-mode callbacks that don't rely on user-mode hooks, which is why professional solutions use advanced techniques like hardware breakpoints (to bypass inline hooks) or VT-x virtualization (to run the injector outside the monitored operating system). An undetected injector is not a magical piece

Most AVs hook Windows API functions in ntdll.dll. When your injector calls CreateRemoteThread, it first jumps through ntdll!NtCreateThreadEx, where the AV has placed a jmp instruction to its inspection engine.

To bypass this, an undetected injector does not call the Windows API. Instead, it hand-crafts the necessary syscall instructions (syscall on x64, sysenter on x86) with the correct system service numbers (SSNs). By invoking the kernel directly from user-mode, the injector skips the AV’s user-mode hooks entirely. This is known as direct system call invocation or manual syscalls.

In the shadowy corridors of software exploitation and game modification, few tools carry as much weight—or as much risk—as the Undetected DLL Injector. The term itself elicits a specific reaction depending on who you are: a malware analyst sees a red flag, a reverse engineer sees a necessary tool, and a gamer sees a path to victory (or a ban).

But what does "undetected" truly mean in this context? Is it a mythical grail of hacking, or a legitimate tool for software testing? This article peels back the layers of process injection, detection evasion, and the cat-and-mouse game between injector developers and security software. Even this can be detected by kernel-mode callbacks

Here is the critical nuance: No DLL injector remains undetected forever.

The security industry and anti-cheat developers operate on a continuous loop:

This means maintaining a truly "undetected" injector is a full-time arms race requiring deep knowledge of Windows internals, reverse engineering, and frequent updates.

Authorized penetration testers employ undetected injection to simulate real adversaries. Tools like Cobalt Strike’s inject command, when combined with syscall-only execution, can evade even high-end EDRs.