Because many modern ACs operate at the kernel level (Ring 0), they can detect the specific system calls (like CreateRemoteThread ) that the injector relies on, regardless of how the injector tries to hide.
Modern anti-cheats register callbacks with the Windows kernel (e.g., PsSetCreateProcessNotifyRoutineEx , ObRegisterCallbacks ). These callbacks check every DLL load. GH Injector’s classic methods—even manual mapping—are now detected because the anti-cheat correlates an unknown memory region with a remote thread that originated from a known suspicious process.
If you absolutely need to inject a DLL into a process (for legitimate modding or debugging on your own machine post-patch), here are the current surviving methods:
In gaming, if a DLL injector used for cheating has been patched, it likely means that the game developers have implemented measures to detect and prevent the use of such injectors, enhancing their anti-cheat efforts.