Skip to content

Load a dynamic library from memory by modifying the native Windows loader

License

Notifications You must be signed in to change notification settings

EvanMcBroom/perfect-loader

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Perfect Loader

MIT License

A reference implementation of a perfect in-memory dynamic library loader for Windows. The implementation may be considered perfect because it does not reimplement LoadLibrary, an approach that is inherently incomplete. Rather, the implementation redirects LoadLibrary to use in-memory data, creating a solution that will always have feature parity with the native Windows loader.

The project implements two solutions for redirecting LoadLibrary. The first is based off of A-Normal-User's excellent work of redirecting LoadLibrary by placing hooks on NtOpenFile and NtMapViewOfSection. Although redirecting LoadLibrary by placing hooks on native functions has been previously documented in various malware reports, A-Normal-User's approach is unique in that it only requires two hooks. Alex Short also has a similar approach that only requires one hook. Alex's approach does require you to identify a library without CFG that is larger than the in-memory library you intend to load, but he shows how to easily find such a library in his function FindNoCfgDll.

The second solution uses a similar method to Process Doppelgänging of updating an opened file in a transaction and using it to create a section object. The solution differs from Tal Liberman and Eugene Kogan's work by redirecting LoadLibrary to use the section instead of using the section to create a new process or thread. To my knowledge, this is a novel approach to using transactions and I personally refer to it as Module Doppelgänging to acknowledge Tal and Eugene's prior work.

Features

  • x86 and x64 support
  • Reflectively inject module using manual mapping or Module Doppelgänging
  • Hooking using patching or hardware breakpoints
  • Disable module load notifications
  • Unlink module from loader lists
  • Remove or overwrite module headers
  • Disable thread callbacks for a module

✏️ The Module Doppelgänging and hardware breakpoint options for injecting a module are currently not supported on WoW64 processes.

Building

Perfect loader uses CMake to generate and run the build system files for your platform.

git clone https://github.com/EvanMcBroom/perfect-loader.git
cd perfect-loader/builds
cmake .. -A {Win32 | x64}
cmake --build .

By default CMake will build the following:

Artifact Description
perfect-loader.lib The main static library for the project
pl.dll A DLL that exposes the functionality of the project as a single exported C API
run.exe An example utility which uses the library to load a DLL from memory
testdll.dll An example DLL which may be used with the run.exe utility

Other CMake projects may use perfect loader by calling include on this directory from an overarching project's CMakeLists.txt files. Doing so will add the static library and the shared library with the C API as CMake targets in the overarching project but will not add the run utility or the testdll library.

About

Load a dynamic library from memory by modifying the native Windows loader

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published