DarkLoadLibrary icon indicating copy to clipboard operation
DarkLoadLibrary copied to clipboard

Published 20 hours ago verified publisher icon bats3c

[Feature Request] DarkLoadLibrary for DLL Imports

Open williamknows opened this issue 3 years ago • 5 comments

Hey, great tool. Are there any near-term plans to add DarkLoadLibrary loading for a DLL's dependencies/imports? They're current just using LoadLibrary, and I can see you added a note to say support would (hopefully) be added in future (in ldrutils.c).

williamknows avatar Nov 03 '21 11:11 williamknows

do it urself

hypervis0r avatar Nov 03 '21 17:11 hypervis0r

I tried it but there are still some cases where DarkLoadLibrary doesn't seem to work. I found some very weird errors with user32.dll if I remember correctly, the initialization routine (DLLMain) followed some very bizarre code paths for some reason

physics-sec avatar Nov 03 '21 17:11 physics-sec

Yes some Microsoft DLL's don't load correctly when using DarkLoadLibrary. I've not quite for to the bottom of this issue yet, I am currently investigating it.

bats3c avatar Nov 04 '21 10:11 bats3c

Yes some Microsoft DLL's don't load correctly when using DarkLoadLibrary. I've not quite for to the bottom of this issue yet, I am currently investigating it.

The reason is: you haven't handle the api set schema in your DIY GetProcAddress, here https://github.com/bats3c/DarkLoadLibrary/blob/master/DarkLoadLibrary/src/pebutils.c#L445

EddieIvan01 avatar Jan 11 '22 12:01 EddieIvan01

This is not the reason for the issues, in the past LdrGetProcedureAddress from ntdll was in use and the issue still remained.

bats3c avatar Jan 13 '22 20:01 bats3c