An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

Related tags

Miscellaneous c windows dll loader
Overview

memory-module-loader

memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory.

The loader exposed by the Windows operating system can only load modules from disk via LoadLibrary or LoadLibraryEx. However, it is entirely possible to load libraries from memory instead. This is one such implementation. This loader supports loading resources. as well.

Authors

  • Originally forked by Benjamin Dagana from https://github.com/fancycode/MemoryModule circa summer 2016.
  • Updated by Ateeq Sharfuddin to support TLS.
  • Updated by Jonathan Lim to support AMD64.
  • Updated by Ateeq Sharfuddin to include example and documentation.

License

Please review the file LICENSE in this repository.

Details

  1. The cloader project compiles into a static library.
  2. As an example, a small sample dll is provided.
  3. A sample executable is provided that links with the cloader. This executable loads sample-dll and calls a function.

Building from source

Open cloader.sln in Visual Studio 2019 and build the solution. The output will be placed under the bin directory.

Functions

LoadModuleFromMemory

Similar to LoadLibrary, but loads the module from memory instead.

_GetProcAddress

Similar to GetProcAddress, but usable only for modules loaded by LoadModuleFromMemory.

FreeLibraryResources

Similar to FreeLibrary, but use only for modules loaded by LoadModuleFromMemory.

_FindResource

Similar to FindResource, but use only to find resources in modules loaded by LoadModuleFromMemory.

_LoadResource

Similar to LoadResource, but use only to load resources in modules loaded by LoadModuleFromMemory. In this case, you do not need to call LockResource: This function simply returns you the address of the resource instead of an HGLOBAL object.

_SizeofResource

Similar to SizeofResource, but use only for resources in modules loaded by LoadModuleFromMemory.

Layout

memory-module-loader
|   cloader.sln
|   LICENSE
|   README.md
|
\---src
    +---cloader
    |       cloader.vcxproj
    |       cloader.vcxproj.filters
    |       common.h
    |       moduleloader.c
    |       moduleloader.h
    |
    +---sample-dll
    |       common.h
    |       dllmain.cpp
    |       sample-dll.c
    |       sample-dll.def
    |       sample-dll.vcxproj
    |       sample-dll.vcxproj.filters
    |
    \---sample-exe
            sample-exe.c
            sample-exe.vcxproj
            sample-exe.vcxproj.filters
You might also like...
POCO C++ Libraries are powerful cross-platform C++ libraries for building network
POCO C++ Libraries are powerful cross-platform C++ libraries for building network

The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.

POCO C++ Libraries 6.7k Jan 1, 2023
Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

Praetorian 26 Dec 15, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022
A rewrite of the old legacy software
A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.

Dependencies - An open-source modern Dependency Walker Download here (If you're running an AV, use this download instead) NB : due to limitations on /

null 5.8k Dec 29, 2022
Collage assingment No.2 in C; matrices and linked lists

C-Advanced-Assingment-2 *Note that you have to edit the returned student ID on each file. You might consider make some changes before submitting these

Matan Kichler 3 May 31, 2022
Implementation of Linking Loader Algorithm using CPP.

Linking Loader Implementation in CPP Instructions for executing the file First run the Linking_Loader_PASS1.cpp file using the cmd - g++ Linking_Load

null 3 Oct 15, 2022
(C++) Integrity dynamic link library made in C++ that you can export to C#

C-Integrity-Library ✔ (C++) Integrity dynamic link library made in C++ that can export to C# C# Exports [DllImport("Exports.dll")] public static exter

null 1 Jan 20, 2022
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife

iOS Malicious Bit Hunter Abstract iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of th

Alipay 70 Sep 12, 2022
Defender-control - An open-source windows defender manager. Now you can disable windows defender permanently.
Defender-control - An open-source windows defender manager. Now you can disable windows defender permanently.

Defender Control Open source windows defender disabler. Now you can disable windows defender permanently! Tested from Windows 10 20H2. Also working on

null 583 Dec 28, 2022
Comments
  • How can i getProcAddress from a dll that exported without function name?

    How can i getProcAddress from a dll that exported without function name?

    i have a dll which was exported without function name.i can only call it by the ordinal value in C#. the function like this. image so.how can i call it in Memory-module-loader? I've tried the following way to do that.but it got wrong result. the result is allways zero. image image

    image

    In addition, I have made the following changes. image thanks a lot.

    opened by JerryLiew 7
Owner
SCYTHE
SCYTHE
GitHub
Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

null 14 Dec 24, 2022
Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Custom HellsGate Implementation Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe pr

Bobby Cooke 90 Oct 18, 2022
DLBFoam: Dynamic load balancing for fast reactive simulations

DLBFoam: Dynamic load balancing for fast reactive simulations DLBFoam v1.1 - What's new? DLBFoam v1.1 introduces a fully analytical chemistry Jacobian

Aalto-CFD 47 Dec 31, 2022
Anotter USB temperature logger that can record up to four channels with thermocouple or NTCs connected via CDC directly or SCPI to USB.

temperature-logger Anotter USB temperature logger that can record up to four channels with thermocouple or NTCs connected via CDC directly or SCPI to

Jana Marie Hemsing 50 Nov 24, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

null 18 Dec 28, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 10 Nov 5, 2022
Shows different icons for 64 and 32-bit DLLs. Register with RegSvr32 to install

DllIconHandler This project demonstrates how to create a Shell Icon Handler, that is loaded by Explorer.exe. An icon handler can show different icons

Pavel Yosifovich 27 Dec 11, 2022
Custom DLLs for a really hard Half-Life Mod

Half Life 1 SDK LICENSE Half Life 1 SDK Copyright© Valve Corp. THIS DOCUMENT DESCRIBES A CONTRACT BETWEEN YOU AND VALVE CORPORATION (“Valve”). PLEASE

Jay 3 Jan 12, 2022
Living off the Land Attack in Linux, load an anonymous file in memory.

ELFMemoryLoader Living off the Land Attack in Linux。 Linux场景下的核心载荷不落地攻击。 Loader get elf data from remote server, then use file descriptor to run elf i

null 5 Sep 24, 2022
Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Yasser 132 Dec 22, 2022