Lunar is a lightweight native DLL mapping library that supports mapping directly from memory.
Features
- Imports and delay imports are resolved
- Relocations are performed
- Image sections are mapped with the correct page protection
- Exception handlers are initialised
- A security cookie is generated and initialised
- DLL entry point and TLS callbacks are called
Getting Started
The example below demonstrates a simple implementation of the library
var libraryMapper = new LibraryMapper(process, dllBytes);
// Map the DLL into the process
libraryMapper.MapLibrary();
// Unmap the DLL from the process
libraryMapper.UnmapLibrary();
Also Read – Sandcastle : A Python Script For AWS S3 Bucket Enumeration
Constructors
LibraryMapper(Process, Memory<byte>)
- Provides the functionality to map a DLL from memory into a remote process
LibraryMapper(Process, string)
- Provides the functionality to map a DLL from disk into a remote process.
Properties
DllBaseAddress
The base address of the DLL in the remote process after it has been mapped.
Methods
MapLibrary()
- Maps the DLL into the remote process
UnmapLibrary()
- Unmaps the DLL from the remote process
Caveats
- Mapping requires the presence of a PDB for ntdll.dll, and, so, the library will automatically download the latest version of this PDB from the Microsoft symbol server and cache it in %appdata%/Lunar/Dependencies
