Windows

LdrLibraryEx – A Lightweight x64 Library For Loading DLLs Into Memory

A small x64 library to load dll’s into memory. n the world of software development, efficient DLL loading is a crucial aspect of optimizing performance and functionality.

Enter “LdrLibraryEx,” a powerful x64 library designed to streamline the process of loading DLLs into memory.

This lightweight and versatile tool offers developers a range of features, from low dependencies and memory-based loading to advanced functionality, making it an invaluable asset for enhancing Windows application performance.

Join us as we explore the capabilities and benefits of LdrLibraryEx in this comprehensive guide.

Features

  • low dependencies & function use (only ntdll.dll used)
  • position independent code
  • lightweight and minimal
  • easy to use
  • load modules from memory
  • load modules from disk
  • api sets support
  • bypass image load callbacks (using private memory)
  • support for images with delayed import, tls, seh, etc.

Documentation

Library Flags

Flags can be combined

LIBRARYEX_NONE: Map module from disk into memory and execute entrypoint.

LIBRARYEX_BYPASS_LOAD_CALLBACK: Map module from disk into private memory (unbacked) which bypasses image load callbacks (PsSetLoadImageNotifyRoutine)

LIBRARYEX_NO_ENTRY: Do not execute the entrypoint of the module.

LIBRARYEX_BUFFER: Map the module from memory instead from disk.

Function: LdrLibrary

Easy to use function to load a library into memory. The first param, based on what flags has been specified, can be either a wide string module name to load or memory address where the PE is located at.

/*!
 * @brief
 *  load library into memory
 *
 * @param Buffer
 *  buffer context to load library
 *  either a wide string or a buffer pointer 
 *  the to PE file to map (LIBRARYEX_BUFFER)
 *
 * @param Library
 *  loaded library pointer
 *
 * @param Flags
 *  flags
 *
 * @return
 *  status of function
 */NTSTATUS LdrLibrary(
    _In_  PVOID  Buffer,
    _Out_ PVOID* Library,
    _In_  ULONG  Flags
);

This example shows how to load a module from disk (from the System32 path):

PVOID Module = { 0 };
ULONG Flags  = { 0 };

//
// mapping flags to be used by the library
//
Flags = LIBRARYEX_NONE; 

//
// map file into memory
//
if ( ! NT_SUCCESS( Status = LdrLibrary( L"advapi32.dll", &Module, Flags ) ) ) {
    printf( "[-] LdrLibraryEx Failed: %p\n", Status );
    return; 
}

printf( "[*] Module @ %p\n", Module );

This examples shows how to load a module from a memory buffer:

PVOID Module = { 0 };
ULONG Flags  = { 0 };

//
// mapping flags to be used by the library
//
Flags = LIBRARYEX_NONE  | 
        LIBRARYEX_BUFFER; 

//
// read file on disk into memory
//
if ( ! ( Image = ReadFileBuffer( L"C:\\Windows\\System32\\advapi32.dll", NULL ) ) ) {
    puts( "[-] ReadFileBuffer Failed" );
    return;
}

//
// map file into memory
//
if ( ! NT_SUCCESS( Status = LdrLibrary( Image, &Module, Flags ) ) ) {
    printf( "[-] LdrLibraryEx Failed: %p\n", Status );
    return;
}

printf( "[*] Module @ %p\n", Module );

It is also possible to load modules based on their api set (win10+ support only):

//
// map file into memory
//
if ( ! NT_SUCCESS( Status = LdrLibrary( L"api-ms-win-base-util-l1-1-0.dll", &Module, Flags ) ) ) {
    printf( "[-] LdrLibraryEx Failed: %p\n", Status );
    return;
}

printf( "[*] Module @ %p\n",  );

Function: LdrLibraryEx

LdrLibraryEx allows to hook certain functions to modify the behaviour of how a library should be mapped into memory.

//
// mapping flags to be used by the library
// and insert the loaded module into Peb
//
Flags = LIBRARYEX_BYPASS_LOAD_CALLBACK |
        LIBRARYEX_NO_ENTRY;

//
// init LibraryEx context
//
if ( ! NT_SUCCESS( Status = LdrLibraryCtx( &Ctx, Flags ) ) ) {
    printf( "[-] LdrLibraryCtx Failed: %d\n", Status );
    goto END;
}

//
// hook function
//
Ctx.LdrLoadDll = C_PTR( HookLdrLoadDll );

//
// map file into memory
//
if ( ! NT_SUCCESS( Status = LdrLibraryEx( &Ctx, L"cryptsp.dll", &Module, Flags ) ) ) {
    printf( "[-] LdrLibraryEx Failed: %p\n", Status );
    return; 
}

Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

4 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

4 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

4 weeks ago