11# MemoryModule
22A tool to parse and load module in memory, as well as attach a DLL in EXE.
33
4- ## winpe
4+ Most of the functions are inline, so that it can also be used in shellcode.
5+
6+ ## compile
7+
8+ ``` shell
9+ cd ./src/memdll
10+ pip install lief
11+ pip install keystone
12+ make ARCH=i686 # x86 release
13+ make ARCH=x86_64 # x64 release
14+ make ARCH=i686 DEBUG=1 # x86 debug
15+ make ARCH=x86_64 DEBUG=1 # x64 debug
16+ ```
17+
18+ ## usage
19+
20+ ### load DLL in memory
21+
22+ ``` c
23+ const char *dllpath = " test.dll"
24+ size_t mempesize = 0 ;
25+ void *memdll = NULL ;
26+
27+ // load the pe file in memory and align it to memory align
28+ void *mempe = winpe_memload_file(dllpath, &mempesize, TRUE );
29+
30+ // memory loadlibrary
31+ memdll = winpe_memLoadLibrary(mempe);
32+ winpe_memFreeLibrary (memdll);
33+
34+ // memory loadlibrary at specific address
35+ size_t targetaddr = sizeof(size_t) > 4 ? 0x140030000: 0x90000;
36+ memdll = winpe_memLoadLibraryEx(memdll, targetaddr,
37+ WINPE_LDFLAG_MEMALLOC, (PFN_LoadLibraryA)winpe_findloadlibrarya(),
38+ (PFN_GetProcAddress)winpe_memGetProcAddress);
39+ winpe_memFreeLibrary(memdll);
40+ free(mempe);
41+ ```
42+
43+
44+
45+ ### attach DLL in exe
46+
47+ ```shell
48+ win_injectmemdll.exe exepath dllpath [outpath]
49+ ```
50+
51+ ## memory module API
552
653These functions are essential to load memory module in windows.
754
855``` c
56+ /*
57+ similar to LoadlibrayA, will call dllentry
58+ will load the mempe in a valid imagebase
59+ return hmodule base
60+ */
61+ WINPEDEF WINPE_EXPORT
62+ inline void * STDCALL winpe_memLoadLibrary (void * mempe);
63+
64+ /*
65+ if imagebase==0, will load on mempe, or in imagebase
66+ will load the mempe in a valid imagebase, flag as below:
67+ WINPE_LDFLAG_MEMALLOC 0x1, will alloc memory to imagebase
68+ WINPE_LDFLAG_MEMFIND 0x2, will find a valid space,
69+ must combined with WINPE_LDFLAG_MEMALLOC
70+ return hmodule base
71+ * /
72+ WINPEDEF WINPE_EXPORT
73+ inline void* STDCALL winpe_memLoadLibraryEx(void * mempe,
74+ size_t imagebase, DWORD flag,
75+ PFN_LoadLibraryA pfnLoadLibraryA,
76+ PFN_GetProcAddress pfnGetProcAddress);
77+
78+ /*
79+ similar to FreeLibrary, will call dllentry
80+ return true or false
81+ * /
82+ WINPEDEF WINPE_EXPORT
83+ inline BOOL STDCALL winpe_memFreeLibrary(void * mempe);
84+
85+ /*
86+ FreeLibraryEx with VirtualFree custom function
87+ return true or false
88+ * /
89+ WINPEDEF WINPE_EXPORT
90+ inline BOOL STDCALL winpe_memFreeLibraryEx(void * mempe,
91+ PFN_LoadLibraryA pfnLoadLibraryA,
92+ PFN_GetProcAddress pfnGetProcAddress);
93+
94+ /*
95+ similar to GetProcAddress
96+ return function va
97+ * /
98+ WINPEDEF WINPE_EXPORT
99+ inline PROC STDCALL winpe_memGetProcAddress(
100+ void * mempe, const char * funcname);
101+
102+ // mempe internal functions
9103/*
10104 load the origin rawpe in memory buffer by mem align
11105 return memsize
@@ -31,21 +125,8 @@ size_t winpe_membindiat(void *mempe,
31125
32126See `winpe.h` for parsing and loading PE structure in detail.
33127
34- ## compile
128+ ## known issues
35129
36- ```shell
37- cd ./src/memdll
38- pip install lief
39- pip install keystone
40- make ARCH=i686 # x86 release
41- make ARCH=x86_64 # x64 release
42- make ARCH=i686 DEBUG=1 # x86 debug
43- make ARCH=x86_64 DEBUG=1 # x64 debug
44- ```
45-
46- ## usage
47-
48- ``` shell
49- win_injectmemdll exepath dllpath [outpath]
50- ```
130+ * attach x64 DLL to exe crash on calling some windows API
51131
132+ (load x64 DLL in memory after main function doesn't have this problem)
0 commit comments