Maple Leafs Aggregator

If you're building a Kernel DLL Injector , you're likely aiming for stealth and stability to bypass Ring 3 protections or anti-cheat systems.

Here are some high-level feature ideas categorized by their technical purpose: 1. Stealth & Anti-Detection Manual Mapping (Kernel-to-User): Instead of using standard Windows APIs like LoadLibrary

, the driver manually parses the PE headers, resolves imports, and copies the DLL into the target's memory space to avoid "Loaded Module" lists. VAD Hiding: Modify the Virtual Address Descriptor (VAD)

tree for the target process to hide the allocated memory region from standard memory scanners. NX Bit Swapping: Temporarily toggle the No-Execute (NX)

bit or use "Shadow Pages" to make code execution look like data access, frustrating scanners that look for executable memory outside of known modules. Zombie Thread Injection: Instead of creating a new thread (which triggers CreateThread

hooks), hijack an existing "zombie" or suspended thread's context using PsGet/SetContextThread to execute your shellcode. 2. Stability & Modern Compatibility APC Injection: Asynchronous Procedure Calls (APC)

to queue the DLL loading routine. This is often more stable than thread hijacking because it waits for the process to be in an "alertable" state. System Callback Registration: PsSetCreateProcessNotifyRoutineEx PsSetLoadImageNotifyRoutine

to detect target processes the instant they start, allowing for "early-bird" injection before protections are fully initialized. CIG/ACG Bypass: Implement techniques to bypass Code Integrity Guard (CIG) Arbitrary Code Guard (ACG)

, which typically block the loading of unsigned DLLs or dynamic code generation. 3. Management & Control Socket-Based Communication:

Use a kernel socket or shared memory buffer (IOCTL) to communicate between your user-mode controller and the driver without creating detectable handle links. Universal Driver (MDK):

Support for both x86 and x64 targets, including ARM64 compatibility for modern Windows devices. Self-Cleaning / Driver Unloading:

An "Erase-on-Finish" feature that wipes the driver's traces from the

process memory after the injection is complete to prevent post-mortem forensic analysis. Feature Summary Table Feature Type Specific Feature VAD Hiding

Hides memory regions from scanners like Task Manager or Process Hacker. Manual Mapping

Prevents the DLL from appearing in the process's module list. APC Injection

Ensures the process is ready to handle the code without crashing. Kernel Callbacks Automates injection the moment a specific program opens.

SDXT/MMInject: Kernel DLL Injector using NX Bit ... - GitHub

Kernel DLL Injector: A Comprehensive Overview

Introduction

A Kernel DLL Injector is a type of software tool used to inject Dynamic Link Libraries (DLLs) into the address space of a process running in kernel mode. This technique is often employed by system administrators, developers, and security researchers to load custom or proprietary DLLs into the kernel for various purposes, such as debugging, testing, or enforcing specific security policies.

What is a Kernel DLL Injector?

A Kernel DLL Injector is a program that utilizes the Windows kernel-mode API to inject a DLL into the address space of a process running in kernel mode. This allows the injected DLL to execute in the context of the kernel, enabling it to interact with kernel-mode drivers, access sensitive data, and perform other privileged operations.

How does a Kernel DLL Injector work?

The process of injecting a DLL into the kernel involves several steps:

  1. Opening a handle to the target process: The injector program opens a handle to the process into which the DLL will be injected. This handle is typically obtained using the OpenProcess function.
  2. Allocating memory for the DLL: The injector program allocates a block of memory within the target process's address space using the VirtualAllocEx function. This memory block will be used to store the DLL.
  3. Writing the DLL to the allocated memory: The injector program writes the DLL to the allocated memory block using the WriteProcessMemory function.
  4. Creating a remote thread: The injector program creates a remote thread within the target process using the CreateRemoteThread function. This thread will be responsible for loading the injected DLL.
  5. Loading the DLL: The remote thread executes the LoadLibrary function to load the injected DLL into the kernel.

Types of Kernel DLL Injectors

There are several types of kernel DLL injectors, including:

  1. User-mode injectors: These injectors run in user mode and use the Windows API to inject DLLs into kernel-mode processes.
  2. Kernel-mode injectors: These injectors run in kernel mode and use the kernel-mode API to inject DLLs into other kernel-mode processes.
  3. Bootkits: These are specialized kernel DLL injectors that load DLLs into the kernel during the boot process.

Use Cases for Kernel DLL Injectors

Kernel DLL injectors have several use cases, including:

  1. Security research: Injecting custom DLLs into the kernel allows security researchers to analyze kernel-mode vulnerabilities and develop exploits.
  2. Debugging: Injecting DLLs into the kernel enables developers to debug kernel-mode drivers and troubleshoot issues.
  3. Digital forensics: Injecting DLLs into the kernel allows digital forensic analysts to collect data from kernel-mode processes.

Risks and Challenges

Kernel DLL injectors also pose several risks and challenges, including:

  1. Security risks: Injecting malicious DLLs into the kernel can compromise system security and allow attackers to gain elevated privileges.
  2. System stability issues: Injecting DLLs into the kernel can cause system crashes and stability issues if not done properly.
  3. Compatibility problems: Injecting DLLs into the kernel can lead to compatibility issues with other kernel-mode drivers and applications.

Conclusion

In conclusion, kernel DLL injectors are powerful tools used to inject DLLs into the address space of kernel-mode processes. While they have several use cases, including security research, debugging, and digital forensics, they also pose significant risks and challenges. As with any powerful tool, it is essential to use kernel DLL injectors responsibly and with caution to avoid compromising system security and stability.

Malicious Use Cases

  • Rootkits: Injecting a DLL into csrss.exe or winlogon.exe to steal credentials.
  • Game Cheats: Bypassing anti-cheat systems (EAC, BattlEye) that hook CreateRemoteThread at the user level.
  • Banking Trojans: Injecting into browser processes from kernel mode to evade EDR user-mode hooks.

Step 3: Writing the DLL Path (or Payload)

The injector writes the full path of the DLL (e.g., C:\malware.dll) into the allocated memory. Alternatively, a more sophisticated injector may write the raw DLL bytes directly—this is called manual mapping in kernel mode.

1. Introduction

In the realm of cybersecurity and software engineering, "DLL Injection" is a technique used to run arbitrary code within the address space of another process. While user-mode injection is common, Kernel DLL Injection represents a more sophisticated, stealthy, and potent approach.

Kernel DLL Injection occurs when code running with the highest privileges (Ring 0) forces a target process to load a Dynamic Link Library (DLL). Because the injection originates from the kernel, it bypasses many of the security checks and monitoring tools designed for user-mode applications, making it a favored technique for advanced malware, rootkits, and anti-cheat software.

2. PatchGuard (Kernel Patch Protection)

Prevents hooking of critical kernel structures (like the System Service Dispatch Table). However, it does not prevent APC injection or memory allocation.

Performance & Overhead

  • Injection latency: Typically 1–10 microseconds for setup, but APC delivery could be milliseconds to minutes. Not real-time friendly.
  • CPU overhead: Minimal. One APC insertion per injection.
  • Memory overhead: A few KB for APC object and DLL path string.

Draft paper: "Kernel DLL Injection: Techniques, Detection, and Defenses"

Abstract
Kernel DLL injection—techniques that cause user-mode DLL code to execute with kernel privileges or manipulate kernel behavior via dynamic-link libraries—poses significant security risks and forensic challenges. This paper surveys common and advanced injection methods, examines motives and threat models, evaluates detection and mitigation strategies, and proposes defenses for modern Windows systems.

  1. Introduction
  • Define kernel DLL injection and scope: methods that enable user-supplied code to run in privileged kernel context or to persistently influence kernel-mode behavior via DLLs, drivers, or loader manipulation.
  • Motivation: privilege escalation, persistence, stealthy rootkits, legitimate use cases (debugging, instrumentation).
  • Contribution: taxonomy of techniques, analysis of attack surface, detection approaches, recommended mitigations and policy controls.
  1. Background and threat model
  • Windows kernel architecture overview: user mode vs kernel mode, kernel drivers (KMDF), the role of ntdll/kernel32, Windows loader, Service Control Manager, call gates into kernel (syscalls, device IOCTLs), kernel object types (process, thread, driver objects), and memory protection (DEP, SMEP, SMAP, Kernel Patch Protection “PatchGuard”).
  • Threat model assumptions: attacker with initial user-mode foothold; may have local admin or limited user privileges; goal is privilege escalation, persistence, evasion. Exclude firmware/physical attacks unless noted.
  1. Taxonomy of kernel-level injection techniques
    3.1 Direct kernel driver loading
  • Installing a signed/unsigned driver (driver signing enforcement bypasses): legitimate driver installation, exploiting vulnerable drivers to load malicious code, abusing test-signing or vulnerable vulnerable driver installer services.
  • Kernel-mode callbacks (PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine) and inline hooking of kernel routines.

3.2 User-mode techniques that affect kernel behavior

  • Manipulating system services and DLL search order for privileged processes (service DLL hijacking, shim/injection in service processes that run as SYSTEM).
  • Token stealing via impersonation and duplicate handles combined with CreateRemoteThread into privileged processes. While CreateRemoteThread itself is user-mode, the result can trigger privileged code execution if injected into SYSTEM processes.
  • Reflective DLL injection and manual mapping into privileged user processes.

3.3 Exploiting vulnerable kernel interfaces

  • IOCTL vulnerabilities: leveraging vulnerable driver IOCTLs to read/write kernel memory or execute code (ex: arbitrary pointer dereference, buffer overflow in driver's dispatch routine).
  • Use-after-free and race conditions in kernel components to achieve arbitrary kernel memory write/execute.

3.4 Advanced methods targeting kernel integrity protections

  • Return-oriented programming (ROP) for kernel: chaining gadgets in kernel to bypass W^X and DEP.
  • Bypassing SMEP/SMAP through kernel memory corruption or via swapping CR4 bits if vulnerability exists.
  • Direct kernel object manipulation: modifying EPROCESS, token stealing in kernel memory.

3.5 Loader and boot-time persistence mechanisms

  • Bootkit approaches: manipulating bootloader or early kernel components to load malicious modules before OS protections initialize.
  • Abusing firmware/UEFI to persist kernel-level code (briefly covered).
  1. Case studies and notable incidents
  • Survey of public incidents where kernel-level injection or malicious drivers were used (e.g., use of vulnerable signed drivers by rootkits, kernel-level implants used by advanced threat actors). (High-level description; sources omitted.)
  1. Detection strategies
    5.1 Host-based indicators
  • Unexpected driver loads: unsigned drivers, drivers with anomalous names or paths, modifications to Service Control Manager entries.
  • Kernel memory anomalies: unusual patches to kernel code pages, altered system call table (where applicable), modified SSDT (historical), hooks on IRP dispatch or callback lists.
  • Disk and registry indicators: added service entries, persistence artifacts in RunOnce/Services.
  • Process-level signs: privileged processes with injected modules, remote threads originating from suspicious processes.

5.2 Dynamic and behavioral detection

  • Monitor kernel callback registrations (PsSetCreateProcessNotifyRoutineEx, ObRegisterCallbacks) and anomalous numbers or unknown modules registering callbacks.
  • Integrity verification: periodic kernel code signing and checksum checks; PatchGuard-style integrity monitors (noting Microsoft’s restrictions).
  • Detect unusual IOCTL patterns and abnormal use of DeviceIoControl on sensitive drivers.

5.3 Forensic memory analysis

  • Use of memory acquisition and kernel memory analysis (volatility, Rekall): scanning for hidden drivers, altered kernel structures, suspicious module lists, EPROCESS anomalies, and system call redirections.
  • Cross-view comparisons between kernel module lists from different sources (loaded modules vs driver objects).
  1. Mitigations and defensive design
    6.1 Platform features and configuration
  • Enforce driver signing and use secure boot / kernel DMA protections.
  • Enable Microsoft Defender features and kernel exploit mitigations (SMEP/SMAP, KASLR).
  • Restrict administrative privileges and apply least privilege for service accounts.

6.2 Hardening drivers and kernel interfaces

  • Safe IOCTL design: input validation, proper copy_to_user/copy_from_user semantics, bounds checks, use of structured exception handling.
  • Minimizing exposed kernel interfaces; explicit access control for device objects (restrict CreateFile access to administrators or signed components).

6.3 Runtime protections and monitoring

  • Endpoint detection: kernel-mode behavioral sensors that monitor suspicious memory writes, hooking attempts, and suspicious driver loads.
  • Use of hypervisor-based introspection (VMI) for tamper-resistant monitoring of kernel state.
  • Application and process isolation: run high-risk services in constrained containers or VMs.

6.4 Defensive response and remediation

  • Steps for incident response when a malicious driver or kernel injection is suspected: isolate, memory/image capture, block driver load, patch vulnerable drivers, restore from known-good image, engage vendor support.
  1. Evaluation of defenses: trade-offs and limitations
  • Performance and stability impacts of deeper kernel monitoring.
  • False positives from legitimate kernel instrumentation (antivirus, virtualization tools).
  • Legal and compatibility constraints (PatchGuard, driver signing) that limit third-party kernel defenses.
  1. Future directions and research opportunities
  • Kernel introspection via hardware features (TPM, TDX, secure enclaves).
  • Formal verification of drivers and automated vulnerability discovery in kernel interfaces.
  • Improved telemetry standards for kernel-level events and secure logging.
  1. Conclusion
  • Kernel DLL/driver injection remains a high-risk vector with evolving methods. Defense requires layered controls: platform hardening, secure driver design, runtime monitoring (including out-of-band/hypervisor approaches), and strong incident response capabilities.

References (selective)

  • Academic and industry works on kernel rootkits, driver vulnerabilities, defensive mechanisms, and forensic techniques. (Include appropriate citations in final draft.)

Appendix A — Practical checklist for defenders

  • Enable Secure Boot + HVCI.
  • Audit installed drivers for signatures and trusted publishers.
  • Harden device object DACLs.
  • Monitor for unusual DeviceIoControl and driver load events.
  • Maintain up-to-date patches for drivers and OS.

Appendix B — Suggested experimental setup for evaluation

  • Isolated lab with instrumented Windows VM, vulnerable driver samples, memory acquisition tools (WinDbg, OSForensics, Volatility), hypervisor introspection agent, and controlled test cases for common injection methods.

If you want, I can:

  • Expand any section into a full paper with citations and formatted references, or
  • Produce a slide deck summarizing this paper, or
  • Generate a step-by-step lab exercise demonstrating a specific injection technique and detection.

In the dimly lit glow of three monitors, stared at the Blue Screen of Death. It was his fourteenth today. Most developers at Apex Cyber were working on front-facing security suites, but Elias lived in "Ring 0"—the kernel. He wasn't just writing code; he was building a ghost.

His project, codenamed K-Ghost, was a kernel DLL injector. To the uninitiated, DLL injection is like sneaking a new recipe into a chef's book while they aren't looking. But in user-mode, everyone is watching. Anti-cheat software and high-end security tools can spot a rogue thread from a mile away. To remain invisible, Elias had to go deeper. The Deep Dive

"Standard injection uses CreateRemoteThread," Elias muttered, his fingers flying across the mechanical keyboard. "It’s like ringing the front doorbell with a ski mask on. Too loud."

He decided on a more surgical approach: Asynchronous Procedure Calls (APCs). By using a kernel driver, Elias could intercept a process the moment it was born. He targeted LdrInitializeThunk, the very first function a program runs in user-mode. By queuing a Kernel APC before the process even had a chance to breathe, his DLL would load as part of the "normal" startup flow. The Breach

The test target was Aegis, a world-class anti-cheat system known for being impenetrable. Elias hit Enter.

The driver loaded. On his second monitor, the Aegis-protected game launched. Elias watched the memory addresses scroll. The Hook: His kernel driver spotted the new process ID.

The Allocation: It carved out a tiny, hidden pocket of memory using NX Bit Swapping to bypass hardware protections. The Injection: The APC fired.

The game’s menu appeared. For a moment, nothing happened. Then, a small, lime-green text box flickered in the corner: K-Ghost Active.

Elias exhaled, but the victory was short-lived. A red alert flashed on his third screen. It wasn't the anti-cheat—it was a notification from a system he hadn't seen before.

“Welcome, Elias. We’ve been waiting for someone to reach Ring 0.”

The injector hadn't just put code into the game; it had triggered a "canary" buried deep in the Windows kernel itself, a trap set by a rival group he only knew as The Ringmasters. They didn't want to stop him; they wanted to use his bridge. His "ghost" had just opened a back door, and he wasn't the only one walking through it.

Elias reached for the power cable, but his mouse cursor moved on its own, hovering over the Delete key of his source code. "Checkmate," a voice whispered from his speakers. Key Concepts from the Story

Ring 0 (Kernel Mode): The most privileged level of the CPU, where the operating system's core runs.

DLL Injection: A technique used to run arbitrary code within the address space of another process.

APC (Asynchronous Procedure Call): A function that executes asynchronously in the context of a particular thread. Kernel-mode injectors often use these to stay hidden.

Manual Mapping: A stealthier injection method that manually loads a DLL into memory without using standard Windows APIs that security software monitors.

A kernel-mode DLL injector is a driver-based tool designed to inject code from the Windows kernel (Ring 0) into a user-mode process (Ring 3)

. This approach is typically used to bypass security software or anti-cheat systems that monitor standard user-mode injection techniques. Core Features Kernel Callbacks : Uses system routines like PsSetLoadImageNotifyRoutine PsSetCreateProcessNotifyRoutineEx

to detect when a target process starts or a specific image loads, triggering the injection immediately. Asynchronous Procedure Calls (APC) : Utilizes

(Kernel Asynchronous Procedure Calls) to queue a procedure in a user-land application, often forcing the target to execute LoadLibrary or similar functions to pull in the DLL. Manual Mapping

: A stealthier method that manually parses the PE (Portable Executable) file and maps its sections into the target's memory space without using standard Windows APIs like LoadLibrary , which leaves less of a trace. Stealth & Hiding VAD Hiding

: Modifies Virtual Address Descriptors to hide the presence of the injected DLL from memory scanners. NX Bit Swapping

: Manipulates page permissions (No-Execute bits) to execute code in regions that appear to be read/write only. Module Hiding

: Prevents the injected DLL from appearing in the target process's module list (PEB). Driver Loading/Bypassing

: Since modern Windows requires signed drivers, many injectors include features to bypass Driver Signature Enforcement (DSE)

or use "reflective driver loading" to run the injector itself without a valid signature. Popular Techniques & Implementations KMDllInjector

: Uses kernel callbacks to monitor process creation and automate injection.

: Focuses on hiding injected modules using advanced memory manipulation like NX bit swapping.

: A classic example that uses Kernel APCs to perform the injection. Manual Mapping (Threadless)

: Some injectors avoid creating new threads (which are easily spotted by EDRs) and instead hijack existing execution flows to run the injected code.

SDXT/MMInject: Kernel DLL Injector using NX Bit ... - GitHub

A kernel DLL injector is an advanced software utility or driver used to inject a Dynamic Link Library (DLL) into a target process from the Windows kernel. Unlike standard user-mode injectors that rely on high-level APIs like CreateRemoteThread, kernel injectors operate at the highest privilege level (Ring 0), allowing them to bypass many traditional security measures and anti-cheat systems. Core Mechanism

Kernel injectors typically utilize a Windows driver to facilitate the injection process. The general workflow involves:

Registration of Callbacks: The driver registers kernel callbacks such as PsSetLoadImageNotifyRoutine or PsSetCreateProcessNotifyRoutineEx.

Triggering: When a new process is created or a specific image is loaded, the callback is triggered.

Memory Injection: The driver then maps the DLL into the target process's memory space, often using techniques like manual mapping to avoid leaving traces in the module list. Common Techniques

Techniques vary based on the desired level of stealth and compatibility:

Reflective DLL Injection: Loading a library from memory into a host process without writing it to disk first.

Manual Mapping: Manually parsing the PE (Portable Executable) headers and mapping sections into memory, effectively rebuilding the DLL's functionality within the target process.

Shellcode Injection: Using kernel-mode shellcode to execute the injection logic within the context of the target process. Security and Use Cases

Anti-Cheat Bypassing: Frequently used in game security to stay undetected by anti-cheat software like Easy Anti-Cheat (EAC) or BattlEye, which monitor user-mode API calls.

Advanced Protection: Some security tools use kernel-mode techniques for binary hardening, anti-tampering, and protection against memory exploits.

Malware Analysis: Used by researchers to observe how malware interacts with system processes from a privileged vantage point. Popular Repositories and Resources

Several open-source projects provide frameworks for kernel-level injection:

KMDllInjector: A kernel-mode DLL injector that uses system callbacks for injection.

Xenos: A well-known Windows DLL injector that supports various advanced techniques.

Awesome Game Security: A curated list of tools and resources related to game security and injection. 0xPrimo/KMDllInjector: kernel-mode DLL Injector - GitHub

Kernel DLL Injector: A Powerful Tool for Windows Internals

Introduction

A kernel DLL injector is a utility used to inject a DLL (Dynamic Link Library) into a process running in kernel mode. This technique is often employed by developers, reverse engineers, and security researchers to analyze and interact with Windows internals. In this article, we will explore the concept of kernel DLL injection, its uses, and provide a basic example of how to create a kernel DLL injector.

What is Kernel DLL Injection?

Kernel DLL injection is a technique used to load a custom DLL into a kernel-mode process. This allows the injected DLL to execute code in the context of the kernel, providing access to sensitive areas of the operating system. The injected DLL can interact with kernel-mode drivers, manipulate system calls, and even modify kernel data structures.

Uses of Kernel DLL Injection

Kernel DLL injection has several legitimate uses:

  1. Debugging and reverse engineering: By injecting a custom DLL into a kernel-mode process, developers and reverse engineers can analyze and understand the behavior of Windows kernel components.
  2. Security research: Kernel DLL injection can be used to test the security of kernel-mode drivers and identify potential vulnerabilities.
  3. Development of kernel-mode drivers: Developers can use kernel DLL injection to test and debug kernel-mode drivers without having to rewrite the driver code.

How Kernel DLL Injection Works

The process of kernel DLL injection involves several steps:

  1. Open a handle to the target process: The injector needs to open a handle to the kernel-mode process into which the DLL will be injected.
  2. Allocate memory for the DLL: The injector allocates memory in the target process's address space to store the DLL.
  3. Write the DLL to the allocated memory: The injector writes the DLL to the allocated memory.
  4. Create a remote thread: The injector creates a remote thread in the target process, which executes the DLL's entry point.

Example: Creating a Basic Kernel DLL Injector

Here is a basic example of a kernel DLL injector written in C++:

#include <Windows.h>
#include <TlHelp32.h>
int main() 
    // Specify the target process and DLL paths
    wchar_t* targetProcess = L"System";
    wchar_t* dllPath = L"C:\\path\\to\\your\\dll.dll";
// Find the target process
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hSnapshot, &pe)) 
        do 
            if (wcscmp(pe.szExeFile, targetProcess) == 0) 
                // Open a handle to the target process
                HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
                if (hProcess) 
                    // Allocate memory for the DLL
                    LPVOID pDll = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
                    if (pDll) 
                        // Write the DLL path to the allocated memory
                        WriteProcessMemory(hProcess, pDll, dllPath, wcslen(dllPath) * sizeof(wchar_t), NULL);
// Create a remote thread to load the DLL
                        LPTHREAD_START_ROUTINE pRoutine = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
                        CreateRemoteThread(hProcess, NULL, 0, pRoutine, pDll, 0, NULL);
CloseHandle(hProcess);
while (Process32Next(hSnapshot, &pe));
CloseHandle(hSnapshot);
    return 0;

Conclusion

Kernel DLL injection is a powerful technique used to interact with Windows internals. While it has legitimate uses, it can also be misused by malicious actors. As with any powerful tool, it is essential to use kernel DLL injection responsibly and with caution.

Additional Resources

  • Windows Internals, Part 1: Covering Windows Server 2008 R2, Windows 7, and Windows Vista (Microsoft Press)
  • Windows Kernel-Mode Driver Development (Microsoft Docs)
  • Kernel-mode DLL injection (Matt Pietrek's blog)

Schedule News / Content

Related content from Maple Leafs Aggregator

Kernel Dll Injector | iPad |

If you're building a Kernel DLL Injector , you're likely aiming for stealth and stability to bypass Ring 3 protections or anti-cheat systems.

Here are some high-level feature ideas categorized by their technical purpose: 1. Stealth & Anti-Detection Manual Mapping (Kernel-to-User): Instead of using standard Windows APIs like LoadLibrary

, the driver manually parses the PE headers, resolves imports, and copies the DLL into the target's memory space to avoid "Loaded Module" lists. VAD Hiding: Modify the Virtual Address Descriptor (VAD)

tree for the target process to hide the allocated memory region from standard memory scanners. NX Bit Swapping: Temporarily toggle the No-Execute (NX)

bit or use "Shadow Pages" to make code execution look like data access, frustrating scanners that look for executable memory outside of known modules. Zombie Thread Injection: Instead of creating a new thread (which triggers CreateThread

hooks), hijack an existing "zombie" or suspended thread's context using PsGet/SetContextThread to execute your shellcode. 2. Stability & Modern Compatibility APC Injection: Asynchronous Procedure Calls (APC)

to queue the DLL loading routine. This is often more stable than thread hijacking because it waits for the process to be in an "alertable" state. System Callback Registration: PsSetCreateProcessNotifyRoutineEx PsSetLoadImageNotifyRoutine

to detect target processes the instant they start, allowing for "early-bird" injection before protections are fully initialized. CIG/ACG Bypass: Implement techniques to bypass Code Integrity Guard (CIG) Arbitrary Code Guard (ACG)

, which typically block the loading of unsigned DLLs or dynamic code generation. 3. Management & Control Socket-Based Communication:

Use a kernel socket or shared memory buffer (IOCTL) to communicate between your user-mode controller and the driver without creating detectable handle links. Universal Driver (MDK):

Support for both x86 and x64 targets, including ARM64 compatibility for modern Windows devices. Self-Cleaning / Driver Unloading:

An "Erase-on-Finish" feature that wipes the driver's traces from the

process memory after the injection is complete to prevent post-mortem forensic analysis. Feature Summary Table Feature Type Specific Feature VAD Hiding

Hides memory regions from scanners like Task Manager or Process Hacker. Manual Mapping

Prevents the DLL from appearing in the process's module list. APC Injection

Ensures the process is ready to handle the code without crashing. Kernel Callbacks Automates injection the moment a specific program opens.

SDXT/MMInject: Kernel DLL Injector using NX Bit ... - GitHub

Kernel DLL Injector: A Comprehensive Overview

Introduction

A Kernel DLL Injector is a type of software tool used to inject Dynamic Link Libraries (DLLs) into the address space of a process running in kernel mode. This technique is often employed by system administrators, developers, and security researchers to load custom or proprietary DLLs into the kernel for various purposes, such as debugging, testing, or enforcing specific security policies.

What is a Kernel DLL Injector?

A Kernel DLL Injector is a program that utilizes the Windows kernel-mode API to inject a DLL into the address space of a process running in kernel mode. This allows the injected DLL to execute in the context of the kernel, enabling it to interact with kernel-mode drivers, access sensitive data, and perform other privileged operations.

How does a Kernel DLL Injector work?

The process of injecting a DLL into the kernel involves several steps:

  1. Opening a handle to the target process: The injector program opens a handle to the process into which the DLL will be injected. This handle is typically obtained using the OpenProcess function.
  2. Allocating memory for the DLL: The injector program allocates a block of memory within the target process's address space using the VirtualAllocEx function. This memory block will be used to store the DLL.
  3. Writing the DLL to the allocated memory: The injector program writes the DLL to the allocated memory block using the WriteProcessMemory function.
  4. Creating a remote thread: The injector program creates a remote thread within the target process using the CreateRemoteThread function. This thread will be responsible for loading the injected DLL.
  5. Loading the DLL: The remote thread executes the LoadLibrary function to load the injected DLL into the kernel.

Types of Kernel DLL Injectors

There are several types of kernel DLL injectors, including:

  1. User-mode injectors: These injectors run in user mode and use the Windows API to inject DLLs into kernel-mode processes.
  2. Kernel-mode injectors: These injectors run in kernel mode and use the kernel-mode API to inject DLLs into other kernel-mode processes.
  3. Bootkits: These are specialized kernel DLL injectors that load DLLs into the kernel during the boot process.

Use Cases for Kernel DLL Injectors

Kernel DLL injectors have several use cases, including: kernel dll injector

  1. Security research: Injecting custom DLLs into the kernel allows security researchers to analyze kernel-mode vulnerabilities and develop exploits.
  2. Debugging: Injecting DLLs into the kernel enables developers to debug kernel-mode drivers and troubleshoot issues.
  3. Digital forensics: Injecting DLLs into the kernel allows digital forensic analysts to collect data from kernel-mode processes.

Risks and Challenges

Kernel DLL injectors also pose several risks and challenges, including:

  1. Security risks: Injecting malicious DLLs into the kernel can compromise system security and allow attackers to gain elevated privileges.
  2. System stability issues: Injecting DLLs into the kernel can cause system crashes and stability issues if not done properly.
  3. Compatibility problems: Injecting DLLs into the kernel can lead to compatibility issues with other kernel-mode drivers and applications.

Conclusion

In conclusion, kernel DLL injectors are powerful tools used to inject DLLs into the address space of kernel-mode processes. While they have several use cases, including security research, debugging, and digital forensics, they also pose significant risks and challenges. As with any powerful tool, it is essential to use kernel DLL injectors responsibly and with caution to avoid compromising system security and stability.

Malicious Use Cases

  • Rootkits: Injecting a DLL into csrss.exe or winlogon.exe to steal credentials.
  • Game Cheats: Bypassing anti-cheat systems (EAC, BattlEye) that hook CreateRemoteThread at the user level.
  • Banking Trojans: Injecting into browser processes from kernel mode to evade EDR user-mode hooks.

Step 3: Writing the DLL Path (or Payload)

The injector writes the full path of the DLL (e.g., C:\malware.dll) into the allocated memory. Alternatively, a more sophisticated injector may write the raw DLL bytes directly—this is called manual mapping in kernel mode.

1. Introduction

In the realm of cybersecurity and software engineering, "DLL Injection" is a technique used to run arbitrary code within the address space of another process. While user-mode injection is common, Kernel DLL Injection represents a more sophisticated, stealthy, and potent approach.

Kernel DLL Injection occurs when code running with the highest privileges (Ring 0) forces a target process to load a Dynamic Link Library (DLL). Because the injection originates from the kernel, it bypasses many of the security checks and monitoring tools designed for user-mode applications, making it a favored technique for advanced malware, rootkits, and anti-cheat software.

2. PatchGuard (Kernel Patch Protection)

Prevents hooking of critical kernel structures (like the System Service Dispatch Table). However, it does not prevent APC injection or memory allocation.

Performance & Overhead

  • Injection latency: Typically 1–10 microseconds for setup, but APC delivery could be milliseconds to minutes. Not real-time friendly.
  • CPU overhead: Minimal. One APC insertion per injection.
  • Memory overhead: A few KB for APC object and DLL path string.

Draft paper: "Kernel DLL Injection: Techniques, Detection, and Defenses"

Abstract
Kernel DLL injection—techniques that cause user-mode DLL code to execute with kernel privileges or manipulate kernel behavior via dynamic-link libraries—poses significant security risks and forensic challenges. This paper surveys common and advanced injection methods, examines motives and threat models, evaluates detection and mitigation strategies, and proposes defenses for modern Windows systems.

  1. Introduction
  • Define kernel DLL injection and scope: methods that enable user-supplied code to run in privileged kernel context or to persistently influence kernel-mode behavior via DLLs, drivers, or loader manipulation.
  • Motivation: privilege escalation, persistence, stealthy rootkits, legitimate use cases (debugging, instrumentation).
  • Contribution: taxonomy of techniques, analysis of attack surface, detection approaches, recommended mitigations and policy controls.
  1. Background and threat model
  • Windows kernel architecture overview: user mode vs kernel mode, kernel drivers (KMDF), the role of ntdll/kernel32, Windows loader, Service Control Manager, call gates into kernel (syscalls, device IOCTLs), kernel object types (process, thread, driver objects), and memory protection (DEP, SMEP, SMAP, Kernel Patch Protection “PatchGuard”).
  • Threat model assumptions: attacker with initial user-mode foothold; may have local admin or limited user privileges; goal is privilege escalation, persistence, evasion. Exclude firmware/physical attacks unless noted.
  1. Taxonomy of kernel-level injection techniques
    3.1 Direct kernel driver loading
  • Installing a signed/unsigned driver (driver signing enforcement bypasses): legitimate driver installation, exploiting vulnerable drivers to load malicious code, abusing test-signing or vulnerable vulnerable driver installer services.
  • Kernel-mode callbacks (PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine) and inline hooking of kernel routines.

3.2 User-mode techniques that affect kernel behavior

  • Manipulating system services and DLL search order for privileged processes (service DLL hijacking, shim/injection in service processes that run as SYSTEM).
  • Token stealing via impersonation and duplicate handles combined with CreateRemoteThread into privileged processes. While CreateRemoteThread itself is user-mode, the result can trigger privileged code execution if injected into SYSTEM processes.
  • Reflective DLL injection and manual mapping into privileged user processes.

3.3 Exploiting vulnerable kernel interfaces

  • IOCTL vulnerabilities: leveraging vulnerable driver IOCTLs to read/write kernel memory or execute code (ex: arbitrary pointer dereference, buffer overflow in driver's dispatch routine).
  • Use-after-free and race conditions in kernel components to achieve arbitrary kernel memory write/execute.

3.4 Advanced methods targeting kernel integrity protections

  • Return-oriented programming (ROP) for kernel: chaining gadgets in kernel to bypass W^X and DEP.
  • Bypassing SMEP/SMAP through kernel memory corruption or via swapping CR4 bits if vulnerability exists.
  • Direct kernel object manipulation: modifying EPROCESS, token stealing in kernel memory.

3.5 Loader and boot-time persistence mechanisms

  • Bootkit approaches: manipulating bootloader or early kernel components to load malicious modules before OS protections initialize.
  • Abusing firmware/UEFI to persist kernel-level code (briefly covered).
  1. Case studies and notable incidents
  • Survey of public incidents where kernel-level injection or malicious drivers were used (e.g., use of vulnerable signed drivers by rootkits, kernel-level implants used by advanced threat actors). (High-level description; sources omitted.)
  1. Detection strategies
    5.1 Host-based indicators
  • Unexpected driver loads: unsigned drivers, drivers with anomalous names or paths, modifications to Service Control Manager entries.
  • Kernel memory anomalies: unusual patches to kernel code pages, altered system call table (where applicable), modified SSDT (historical), hooks on IRP dispatch or callback lists.
  • Disk and registry indicators: added service entries, persistence artifacts in RunOnce/Services.
  • Process-level signs: privileged processes with injected modules, remote threads originating from suspicious processes.

5.2 Dynamic and behavioral detection

  • Monitor kernel callback registrations (PsSetCreateProcessNotifyRoutineEx, ObRegisterCallbacks) and anomalous numbers or unknown modules registering callbacks.
  • Integrity verification: periodic kernel code signing and checksum checks; PatchGuard-style integrity monitors (noting Microsoft’s restrictions).
  • Detect unusual IOCTL patterns and abnormal use of DeviceIoControl on sensitive drivers.

5.3 Forensic memory analysis

  • Use of memory acquisition and kernel memory analysis (volatility, Rekall): scanning for hidden drivers, altered kernel structures, suspicious module lists, EPROCESS anomalies, and system call redirections.
  • Cross-view comparisons between kernel module lists from different sources (loaded modules vs driver objects).
  1. Mitigations and defensive design
    6.1 Platform features and configuration
  • Enforce driver signing and use secure boot / kernel DMA protections.
  • Enable Microsoft Defender features and kernel exploit mitigations (SMEP/SMAP, KASLR).
  • Restrict administrative privileges and apply least privilege for service accounts.

6.2 Hardening drivers and kernel interfaces

  • Safe IOCTL design: input validation, proper copy_to_user/copy_from_user semantics, bounds checks, use of structured exception handling.
  • Minimizing exposed kernel interfaces; explicit access control for device objects (restrict CreateFile access to administrators or signed components).

6.3 Runtime protections and monitoring

  • Endpoint detection: kernel-mode behavioral sensors that monitor suspicious memory writes, hooking attempts, and suspicious driver loads.
  • Use of hypervisor-based introspection (VMI) for tamper-resistant monitoring of kernel state.
  • Application and process isolation: run high-risk services in constrained containers or VMs.

6.4 Defensive response and remediation

  • Steps for incident response when a malicious driver or kernel injection is suspected: isolate, memory/image capture, block driver load, patch vulnerable drivers, restore from known-good image, engage vendor support.
  1. Evaluation of defenses: trade-offs and limitations
  • Performance and stability impacts of deeper kernel monitoring.
  • False positives from legitimate kernel instrumentation (antivirus, virtualization tools).
  • Legal and compatibility constraints (PatchGuard, driver signing) that limit third-party kernel defenses.
  1. Future directions and research opportunities
  • Kernel introspection via hardware features (TPM, TDX, secure enclaves).
  • Formal verification of drivers and automated vulnerability discovery in kernel interfaces.
  • Improved telemetry standards for kernel-level events and secure logging.
  1. Conclusion
  • Kernel DLL/driver injection remains a high-risk vector with evolving methods. Defense requires layered controls: platform hardening, secure driver design, runtime monitoring (including out-of-band/hypervisor approaches), and strong incident response capabilities.

References (selective)

  • Academic and industry works on kernel rootkits, driver vulnerabilities, defensive mechanisms, and forensic techniques. (Include appropriate citations in final draft.)

Appendix A — Practical checklist for defenders

  • Enable Secure Boot + HVCI.
  • Audit installed drivers for signatures and trusted publishers.
  • Harden device object DACLs.
  • Monitor for unusual DeviceIoControl and driver load events.
  • Maintain up-to-date patches for drivers and OS.

Appendix B — Suggested experimental setup for evaluation

  • Isolated lab with instrumented Windows VM, vulnerable driver samples, memory acquisition tools (WinDbg, OSForensics, Volatility), hypervisor introspection agent, and controlled test cases for common injection methods.

If you want, I can:

  • Expand any section into a full paper with citations and formatted references, or
  • Produce a slide deck summarizing this paper, or
  • Generate a step-by-step lab exercise demonstrating a specific injection technique and detection.

In the dimly lit glow of three monitors, stared at the Blue Screen of Death. It was his fourteenth today. Most developers at Apex Cyber were working on front-facing security suites, but Elias lived in "Ring 0"—the kernel. He wasn't just writing code; he was building a ghost.

His project, codenamed K-Ghost, was a kernel DLL injector. To the uninitiated, DLL injection is like sneaking a new recipe into a chef's book while they aren't looking. But in user-mode, everyone is watching. Anti-cheat software and high-end security tools can spot a rogue thread from a mile away. To remain invisible, Elias had to go deeper. The Deep Dive

"Standard injection uses CreateRemoteThread," Elias muttered, his fingers flying across the mechanical keyboard. "It’s like ringing the front doorbell with a ski mask on. Too loud."

He decided on a more surgical approach: Asynchronous Procedure Calls (APCs). By using a kernel driver, Elias could intercept a process the moment it was born. He targeted LdrInitializeThunk, the very first function a program runs in user-mode. By queuing a Kernel APC before the process even had a chance to breathe, his DLL would load as part of the "normal" startup flow. The Breach

The test target was Aegis, a world-class anti-cheat system known for being impenetrable. Elias hit Enter. If you're building a Kernel DLL Injector ,

The driver loaded. On his second monitor, the Aegis-protected game launched. Elias watched the memory addresses scroll. The Hook: His kernel driver spotted the new process ID.

The Allocation: It carved out a tiny, hidden pocket of memory using NX Bit Swapping to bypass hardware protections. The Injection: The APC fired.

The game’s menu appeared. For a moment, nothing happened. Then, a small, lime-green text box flickered in the corner: K-Ghost Active.

Elias exhaled, but the victory was short-lived. A red alert flashed on his third screen. It wasn't the anti-cheat—it was a notification from a system he hadn't seen before.

“Welcome, Elias. We’ve been waiting for someone to reach Ring 0.”

The injector hadn't just put code into the game; it had triggered a "canary" buried deep in the Windows kernel itself, a trap set by a rival group he only knew as The Ringmasters. They didn't want to stop him; they wanted to use his bridge. His "ghost" had just opened a back door, and he wasn't the only one walking through it.

Elias reached for the power cable, but his mouse cursor moved on its own, hovering over the Delete key of his source code. "Checkmate," a voice whispered from his speakers. Key Concepts from the Story

Ring 0 (Kernel Mode): The most privileged level of the CPU, where the operating system's core runs.

DLL Injection: A technique used to run arbitrary code within the address space of another process.

APC (Asynchronous Procedure Call): A function that executes asynchronously in the context of a particular thread. Kernel-mode injectors often use these to stay hidden.

Manual Mapping: A stealthier injection method that manually loads a DLL into memory without using standard Windows APIs that security software monitors.

A kernel-mode DLL injector is a driver-based tool designed to inject code from the Windows kernel (Ring 0) into a user-mode process (Ring 3)

. This approach is typically used to bypass security software or anti-cheat systems that monitor standard user-mode injection techniques. Core Features Kernel Callbacks : Uses system routines like PsSetLoadImageNotifyRoutine PsSetCreateProcessNotifyRoutineEx

to detect when a target process starts or a specific image loads, triggering the injection immediately. Asynchronous Procedure Calls (APC) : Utilizes

(Kernel Asynchronous Procedure Calls) to queue a procedure in a user-land application, often forcing the target to execute LoadLibrary or similar functions to pull in the DLL. Manual Mapping

: A stealthier method that manually parses the PE (Portable Executable) file and maps its sections into the target's memory space without using standard Windows APIs like LoadLibrary , which leaves less of a trace. Stealth & Hiding VAD Hiding

: Modifies Virtual Address Descriptors to hide the presence of the injected DLL from memory scanners. NX Bit Swapping

: Manipulates page permissions (No-Execute bits) to execute code in regions that appear to be read/write only. Module Hiding

: Prevents the injected DLL from appearing in the target process's module list (PEB). Driver Loading/Bypassing

: Since modern Windows requires signed drivers, many injectors include features to bypass Driver Signature Enforcement (DSE)

or use "reflective driver loading" to run the injector itself without a valid signature. Popular Techniques & Implementations KMDllInjector

: Uses kernel callbacks to monitor process creation and automate injection.

: Focuses on hiding injected modules using advanced memory manipulation like NX bit swapping.

: A classic example that uses Kernel APCs to perform the injection. Manual Mapping (Threadless)

: Some injectors avoid creating new threads (which are easily spotted by EDRs) and instead hijack existing execution flows to run the injected code.

SDXT/MMInject: Kernel DLL Injector using NX Bit ... - GitHub

A kernel DLL injector is an advanced software utility or driver used to inject a Dynamic Link Library (DLL) into a target process from the Windows kernel. Unlike standard user-mode injectors that rely on high-level APIs like CreateRemoteThread, kernel injectors operate at the highest privilege level (Ring 0), allowing them to bypass many traditional security measures and anti-cheat systems. Core Mechanism Opening a handle to the target process :

Kernel injectors typically utilize a Windows driver to facilitate the injection process. The general workflow involves:

Registration of Callbacks: The driver registers kernel callbacks such as PsSetLoadImageNotifyRoutine or PsSetCreateProcessNotifyRoutineEx.

Triggering: When a new process is created or a specific image is loaded, the callback is triggered.

Memory Injection: The driver then maps the DLL into the target process's memory space, often using techniques like manual mapping to avoid leaving traces in the module list. Common Techniques

Techniques vary based on the desired level of stealth and compatibility:

Reflective DLL Injection: Loading a library from memory into a host process without writing it to disk first.

Manual Mapping: Manually parsing the PE (Portable Executable) headers and mapping sections into memory, effectively rebuilding the DLL's functionality within the target process.

Shellcode Injection: Using kernel-mode shellcode to execute the injection logic within the context of the target process. Security and Use Cases

Anti-Cheat Bypassing: Frequently used in game security to stay undetected by anti-cheat software like Easy Anti-Cheat (EAC) or BattlEye, which monitor user-mode API calls.

Advanced Protection: Some security tools use kernel-mode techniques for binary hardening, anti-tampering, and protection against memory exploits.

Malware Analysis: Used by researchers to observe how malware interacts with system processes from a privileged vantage point. Popular Repositories and Resources

Several open-source projects provide frameworks for kernel-level injection:

KMDllInjector: A kernel-mode DLL injector that uses system callbacks for injection.

Xenos: A well-known Windows DLL injector that supports various advanced techniques.

Awesome Game Security: A curated list of tools and resources related to game security and injection. 0xPrimo/KMDllInjector: kernel-mode DLL Injector - GitHub

Kernel DLL Injector: A Powerful Tool for Windows Internals

Introduction

A kernel DLL injector is a utility used to inject a DLL (Dynamic Link Library) into a process running in kernel mode. This technique is often employed by developers, reverse engineers, and security researchers to analyze and interact with Windows internals. In this article, we will explore the concept of kernel DLL injection, its uses, and provide a basic example of how to create a kernel DLL injector.

What is Kernel DLL Injection?

Kernel DLL injection is a technique used to load a custom DLL into a kernel-mode process. This allows the injected DLL to execute code in the context of the kernel, providing access to sensitive areas of the operating system. The injected DLL can interact with kernel-mode drivers, manipulate system calls, and even modify kernel data structures.

Uses of Kernel DLL Injection

Kernel DLL injection has several legitimate uses:

  1. Debugging and reverse engineering: By injecting a custom DLL into a kernel-mode process, developers and reverse engineers can analyze and understand the behavior of Windows kernel components.
  2. Security research: Kernel DLL injection can be used to test the security of kernel-mode drivers and identify potential vulnerabilities.
  3. Development of kernel-mode drivers: Developers can use kernel DLL injection to test and debug kernel-mode drivers without having to rewrite the driver code.

How Kernel DLL Injection Works

The process of kernel DLL injection involves several steps:

  1. Open a handle to the target process: The injector needs to open a handle to the kernel-mode process into which the DLL will be injected.
  2. Allocate memory for the DLL: The injector allocates memory in the target process's address space to store the DLL.
  3. Write the DLL to the allocated memory: The injector writes the DLL to the allocated memory.
  4. Create a remote thread: The injector creates a remote thread in the target process, which executes the DLL's entry point.

Example: Creating a Basic Kernel DLL Injector

Here is a basic example of a kernel DLL injector written in C++:

#include <Windows.h>
#include <TlHelp32.h>
int main() 
    // Specify the target process and DLL paths
    wchar_t* targetProcess = L"System";
    wchar_t* dllPath = L"C:\\path\\to\\your\\dll.dll";
// Find the target process
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hSnapshot, &pe)) 
        do 
            if (wcscmp(pe.szExeFile, targetProcess) == 0) 
                // Open a handle to the target process
                HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
                if (hProcess) 
                    // Allocate memory for the DLL
                    LPVOID pDll = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
                    if (pDll) 
                        // Write the DLL path to the allocated memory
                        WriteProcessMemory(hProcess, pDll, dllPath, wcslen(dllPath) * sizeof(wchar_t), NULL);
// Create a remote thread to load the DLL
                        LPTHREAD_START_ROUTINE pRoutine = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
                        CreateRemoteThread(hProcess, NULL, 0, pRoutine, pDll, 0, NULL);
CloseHandle(hProcess);
while (Process32Next(hSnapshot, &pe));
CloseHandle(hSnapshot);
    return 0;

Conclusion

Kernel DLL injection is a powerful technique used to interact with Windows internals. While it has legitimate uses, it can also be misused by malicious actors. As with any powerful tool, it is essential to use kernel DLL injection responsibly and with caution.

Additional Resources

  • Windows Internals, Part 1: Covering Windows Server 2008 R2, Windows 7, and Windows Vista (Microsoft Press)
  • Windows Kernel-Mode Driver Development (Microsoft Docs)
  • Kernel-mode DLL injection (Matt Pietrek's blog)
Display Theme
Link Control
Choose how content links open
Sports Aggregator
MLB NBA Blue Jays Aggregator Raptors Aggregator NHL Canadiens Aggregator Canucks Aggregator Flames Aggregator Jets Aggregator Maple Leafs Aggregator Oilers Aggregator Senators Aggregator MLS Toronto FC Aggregator