Well, that's the question. How injectors like ENB work?
I've seen quite a few, the popular ENBSeries and a few injectors for Skyrim:
One that replaced some functions with ones optimized in ASM (later got ported to C and extended in Skyboost) Others that added scripting functionality, more graphical "enhancers" like FXAA Injector, SMAA Injector, etc.
The only thing I can think of is to track where exe is allocated in memory and do some hackery to point to another subrutine that contains the code to be injected. It sounds awfully low level though (ie, manipulating actual ram adresses and machine code stored in ram).
How do injectors work?
If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.
That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using [font=courier new,courier,monospace]CreateRemoteThread[/font] or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.
All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.
Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.
That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using [font=courier new,courier,monospace]CreateRemoteThread[/font] or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.
All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.
Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.
Author
Boris differentiates between both in its files. It has an "Injector version" and a "Wrapper version"
If I understand correctly what ENB injector does, it's only just injecting a DLL (some kind of D9D wrapper?) into another process' address space.
Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?
That can be done rather easily, for example by installing a global hook procedure (from which you load that DLL) or using [font=courier new,courier,monospace]CreateRemoteThread[/font] or simply by either setting the AppInit_DLLs key in the registry or by placing a wrapper DLL into the executable's directory.So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?
All that assumes proper access rights of course, but this is usually the case, given that you own, and have physical access to your computer. Reading and writing another process' memory as you've suggested in your last paragraph is of course possible too, if you have proper access right (running a mini-debugger is a certain way of having rights). Oh, speaking of mini-debugger... a debugger is notified of every DLL being loaded or unloaded. You can probably use that to trivially exchange (or inject) DLLs too.Interesting. The debugger would need to be compiled into the exe or its just another dll that can be injected?
Now of course, doing it and doing it without triggering an anti-exploit mechanism may be slightly different things (you have to assume that the developers of a game title are not complete idiots and know all the obvious tricks too). Also, doing it and doing it without breaking the law are again different things.Of course, dealing with copy protection and all that.
In particular what made me curious is the Skyboost project. It goes like this: Skyrim for PC's executable code was compiled pretty much without optimization flags, thus some very critical code wasn't taking advantage of compiler optimizations neither modern instruction sets (ie, SSE2) and the game was severely CPU limited.
So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe and calls it "TESVAL". Massive performance improvements ensue (ie, +20% to +40% perf increase) but with a big big drawback, the injector had to be updated every time Skyrim was updated (in contrast with other injector i've seen, probably because this one replaced .exe code instead of adding functions).
Since TESVAL author didn't had enough time, Alexander Blade (pretty experienced guy from what i've seen) picks up the project, ports it to C, calls it "Skyboost" and starts experimenting with more optimizations. After a few updates Bethesda updated Skyrim with a properly compiled exe and the patch was made irrelevant.
Thanks! I'll check the links mentioned on that thread.
See this old thread for more discussion.
Originally, it had a d3d9.dll that got loaded by the game, probably because it has the same name as the actual Windows library. That means that the game would load the "fake" d3d9.dll and then that dll would call the proper library?[/quote]Yes, something like that. That's a typical wrapper.
So, with those methods one could load a dll, but how that dll would interact with the process? Can the dll call functions in the .exe?[/quote]Yes and no. A DLL as such does not call functions in a program, it is just a PE image that is loaded into the address space of a process. However, a thread running the executable code in a DLL could certainly call functions in the program, presumed that you are able to determine the function's address and know what it does (and what parameter it takes, etc.).
Usually, it works the other way around. Normally, the injected DLL replaces some original functionality, and it's a thread from the original process that calls (without realizing) a function in the DLL.
The debugger would need to be compiled into the exe or its just another dll that can be injected?[/quote]A small program using CreateProcess, DebugActiveProcess, and WaitForDebugEvent to launch the "real" program.
Of course most non-trivial titles will take more or less sophisticated anti-debugger measures.
Also, note that you are almost certainly breaking the EULA (read as: using a good without permission, thus becoming a criminal in most countries) with that.
So, this guy comes ahead with a profiler, catches up the issue and codes in ASM a replacement for some critical functions in Skyrim's exe[/quote]That's all nice and good, but it's almost certainly a breach of EULA. Most probably nobody will care, but in the worst case that guy could find himself in a $50M tortious interference lawsuit.
It is highly unlikely that Skyrim for PC shipped as a debug build. The likely reason why the developers of Skyrim didn't do the same optimizations in the first place (you have to assume they're not complete idiots either!) is that performance was deemed "good enough" on the targeted hardware and that spending extra time on optimizing (and delaying the product) was therefore economically not viable.
Two years ago, one might have added "or maybe they didn't want to depend on SSE2 or have an extra code path", but this is unlikely now, seeing how no modern version of Windows works without SSE2 at all anyway.
Author
Quoting isn't working well it seems...
Well. It actually appeared on the official Bethesda forums, and script extenders have been the norm for TES titles since long ago. No one complained about it. Beth is fairly lenient on that respect, as long as you're not porting content from their games (ie, Morrowind content to Skyrim) or porting content from their DLCs its all good.
That said, I'm inclined to believe the guys who made the injector since they seem to know a fair bit about the subject and they think it was just that some flags in the compiler hadn't been set up properly. And believe me, if a 2500K overclocked to 4Ghz was "good enough performance" for Beth developers, that doesn't speaks good of them either.
Even so, since part of the game did use SSE2, it didn't worked on old processors anyway. So it is likely, believe it or not, that someone screwed it up in the build process. Maybe some incremental compilation issue or something like that. You must assume they're humans too, it can happen.
Anyway, thanks a lot for the info. Now I'm out to break some EULAs! Nah I'm joking 
I'm still pretty clueless about C++, Windows API, threading and such. And I don't think there is a game out there that could benefit of my limited 8085 assembler knowledge anyway 
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
