Although there's no source code, Microsoft's public debug symbol information makes it pretty easy to determine where certain functionality lies in most of their binaries. Then you overwrite the opcodes to get the desired functionality - the APIs are pretty simple, OpenProcess, WriteProcessMemory and you're done. The harder part is finding something to signature match or similar so that each time the DLL is re-compiled your patch doesn't break since the offsets have changed.