☘️ A flexible PE loader, loading module in memory. Most of the functions can be inline, compatible for shellcode.
compatible list:
- windows xp
- windows 7
- windows 8
- windows 10
- windows 11
- linux wine
You can use clang
(llvm-mingw), gcc
(mingw-w64) or tcc
and msvc
(visual studio 2022) to compile.
Here's a example for using llvm-mingw
git clone https://github.com/YuriSizuku/MemoryModule.git --recursive
make winmemdll_shellcode CC=x86_64-w64-mingw32-clang # only if you want to generate shellcode
make winmemdll CC=i686-w64-mingw32-gcc BUILD_TYPE=32d # x86 debug
%%{init: {'theme':'forest'}}%%
graph LR;
f1[winpe_findspace]
f2[winpe_memreloc];
f3[winpe_membindiat]
f4[winpe_membindtls]
f5[pfnDllMain]
f1 --> f2 --> f3 --> f4 --> f5
const char *dllpath = "test.dll";
size_t mempesize = 0;
void *memdll = NULL;
// load the pe file in memory and align it to memory align
void *mempe = winpe_memload_file(dllpath, &mempesize, TRUE);
// memory loadlibrary
memdll = winpe_memLoadLibrary(mempe);
winpe_memFreeLibrary(memdll);
// memory loadlibrary at specific address
size_t targetaddr = sizeof(size_t) > 4 ? 0x140030000: 0x90000;
memdll = winpe_memLoadLibraryEx(mempe, targetaddr,
WINPE_LDFLAG_MEMALLOC, (PFN_LoadLibraryA)winpe_findloadlibrarya(),
(PFN_GetProcAddress)winpe_memGetProcAddress);
winpe_memFreeLibrary(memdll);
free(mempe);
win_injectmemdll.exe exepath dllpath [outpath]
These functions are essential to load memory module in windows.
See winpe.h in detail.
/**
* load the origin rawpe file in memory buffer by mem align
* mempe means the pe in memory alignment
* @param pmemsize mempe buffer size
* @return mempe buf
*/
WINPE_API
void* STDCALL winpe_memload_file(const char *path, size_t *pmemsize, bool_t same_align);
/**
* load the mempe in a valid imagebase, will call dll entry
* @param imagebase if 0, will load on mempe, else in imagebase
* @param flag WINPE_LDFLAG_MEMALLOC 0x1, will alloc memory to imagebase
* WINPE_LDFLAG_MEMFIND 0x2, will find a valid space,
* @return hmodule base
*/
WINPE_API
void* STDCALL winpe_memLoadLibraryEx(void *mempe, size_t imagebase, DWORD flag,
PFN_LoadLibraryA pfnLoadLibraryA, PFN_GetProcAddress pfnGetProcAddress);
/**
* similar to FreeLibrary, will call dll entry
* @return True on successful
*/
WINPE_API
BOOL STDCALL winpe_memFreeLibrary(void *mempe);
/**
* similar to GetProcAddress
* @return function va
*/
WINPE_API
PROC STDCALL winpe_memGetProcAddress(void *mempe, const char *funcname);
/**
* use peb and ldr list, similar as GetModuleHandleA
* @return ldr module address
*/
WINPE_API
void* STDCALL winpe_findmodulea(const char *modulename)
{
return winpe_findmoduleaex(NULL, modulename);
}
- attach x64 DLL to exe crash on calling some windows API
problem occured by
movaps xmm0, xmmword ptr ss:[rsp]
fixed by stack memory align with 0x10
- TLS initialize support, finished, but not tested, because I didn't find DLL with TLS example.
- support ASLR finished