-4

I tried using ifstream to get the contents of my dll file to be injected into a remote process. I used a char* buffer to store the contents of the dll and then used WriteProcessMemory to inject the binary of the dll file into the process. I used CheatEngine to look at the memory region pointed to by the result of VirtualAllocEx so I know the data got written because I see a text parameter of one of the functions I made. I'm just curious what it is that LoadLibrary does differently from just loading the raw binary of the dll into the process.

Edward Severinsen
  • 25
  • 5
  • map binary as image,but not linear, relocate and resolve imports(may loading additional dlls) create activation context, if manifest exist, call entry point.. – RbMm Jul 03 '16 at 07:50
  • 1
    This is well known. There are many libraries that implement in memory module loaders. Read their source. Clearly it's a massive hack. – David Heffernan Jul 03 '16 at 08:05
  • Why would you not just call LoadLibrary? Or, if you want more control, LoadLibraryEx. I cannot think of a single good reason for reverse engineering this so that you can do it manually. – Cody Gray - on strike Jul 03 '16 at 09:29
  • Why would you think simply copying the content of the DLL file from one memory buffer to another would be enough to "load" the DLL? As far as the copy is concerned, it is just arbitrary bytes, the OS is not going to try interpreting the bytes being copied. – Remy Lebeau Jul 03 '16 at 17:05

1 Answers1

4

In short, LoadLibrary does the following things:

  1. Map and relocate sections in memory.

  2. Deal with the Import Descriptor Table, load any dependencies (if necessary), and fill the Import Address Table (IAT).

  3. Write necessary information to the Process Environment Block (PEB) so that you can find the module in module list.

  4. Call module load notifies (usually in kernel).

  5. Cleanup for a new module context.

  6. Create an activation context (if there is a manifest).

  7. Call the entry point (DllMain), if it exists.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Keyu Gan
  • 711
  • 5
  • 17