The DLL Injector allows you to inject a DLL and then to call any functions inside the injected DLL(s). The Inject DLL dialog can be opened from the main window by selecting the Tools/DLL Injector menu item or pressing Ctrl-J, or from the Disassembler window by selecting the Tools/DLL Injector menu item or pressing Ctrl-J.

Inject DLL

Enter the DLL name or path, or press Browse to browse for a DLL to inject. This simply puts the path into the edit box without actually injecting.

If you would like the DLL to be unloaded when MHS detaches from the target process, check the Uninject When MHS Deteches check. If MHS closes, or if another process is opened, the DLL will be unloaded from the target process first.

Press Inject to inject the DLL described in the edit box. This adds it to the list where you can see its address in the target process and whether or not it will be uninjected when MHS detaches. If the DLL has already been injected it is not injected again, but rather its Uninject When MHS Deteches status is updated. If the DLL already exists in the target process but not because of MHS, its reference count can not be tracked and so it can not be guaranteed to be unloaded when MHS detaches. Therefore, if the Uninject When MHS Deteches is checked MHS will prompt you to allow injecting without the ability to uninject later.

Call Function

If no DLL is selected from the list, this is left blank. Select a DLL from the list to enable this area.

The functions in the selected DLL are listed in the combobox. You may select any function from this list to call. There is no restriction on the calling convention, number of parameters, or return type.

In the Parameters edit, enter the parameters to be passed to the function. Separate each with a comma. Each individual parameter can be any valid expression, so, for example, “122 * 32, gamex86.dll + 5334h, ([gamex86.dll+0x1FE80] & 0xFF) || ([gamex86.dll+0x1FE78] & 0xFF)” is a valid parameter list (if the target process has a gamex86.dll) with 3 parameters. See Expression Evaluator for more information on valid expressions.

Each parameter evaluates to either long, unsigned long, __int64, unsigned __int64, or double. A parameter can be forced to evaluate to a different type using a standard C cast. For example, ([gamex86.dll+0x1FE80] / 3.33f) normally evaluates to a double type because a floating-point value was used in the expression. You can cast this back to a DWORD with (DWORD)([gamex86.dll+0x1FE80] / 3.33f). Casting is only performed after the entire expression has been evaluated.

If an incorrect number of parameters are passed or the parameters are not in a format the target function expects, the game’s internal state may be modified undesirably and lead to undesired behavior and even crashes.

__cdecl or __stdcall should be selected depending on the calling convention of the target function. If you are unsure which to use, check with the person who wrote the DLL you are injecting (which may be you). __cdecl functions require the caller to realign the stack while __stdcall functions align their own stacks. Most functions use __stdcall. In practice, however, a wrong calling type often causes no problems due to the methods used by MHS to call the function. Also, if there are no parameters, the calling type can be ignored.

Press Call Function to call the selected function from the selected DLL with the current parameters and calling type. The return from the function is shown after calling it. If the function returns float, double, or void, the return value will be garbage. Also, if the function returns an __int64, the return shown will be truncated at 32 bits.

Uninjecting

Press Uninject Selected DLL to uninject the selected DLL.

Other

MHS injects a DLL into the target process the first time a function is called. This is assumed not to be a problem because you would have already injected a DLL in order to call a function. Some games detect DLL injection, so be aware of this while using this dialog.

MHS calls CreateRemoteThread() when a DLL is injected and when a remote function is called. Some games detect this, so be aware of this while using this dialog. In the future, there will be alternative (and faster) ways of calling remote functions.