• This repository has been archived on 04/Oct/2023
  • Stars
    star
    585
  • Rank 76,419 (Top 2 %)
  • Language
    C#
  • License
    MIT License
  • Created almost 5 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A lightweight native DLL mapping library that supports mapping directly from memory

Lunar

A lightweight native DLL mapping library that supports mapping directly from memory


Notable features

  • Control flow guard setup
  • Exception handler initialisation
  • Security cookie generation
  • Static TLS initialisation
  • SxS dependency resolution
  • TLS callback execution
  • WOW64 and x64 support

Caveats

  • The latest version of the PDB for ntdll.dll is downloaded and cached on disk by the library

Getting started

The example below demonstrates a basic implementation of the library

var process = Process.GetProcessesByName("")[0];
var dllFilePath = "";
var flags = MappingFlags.DiscardHeaders;
var mapper = new LibraryMapper(process, dllFilePath, flags);

mapper.MapLibrary();

LibraryMapper Class

Provides the functionality to map a DLL from disk or memory into a process

public sealed class LibraryMapper

Constructors

Initialises an instance of the LibraryMapper class with the functionality to map a DLL from memory into a process

public LibraryMapper(Process, Memory<byte>, MappingFlags);

Initialises an instance of the LibraryMapper class with the functionality to map a DLL from disk into a process

public LibraryMapper(Process, string, MappingFlags);

Properties

The base address of the DLL in the process

public nint DllBaseAddress { get; }

Methods

Maps the DLL into the process

public void MapLibrary();

Unmaps the DLL from the process

public void UnmapLibrary();

MappingFlags Enum

Defines actions that the mapper should perform during the mapping process

[Flags]
public enum MappingFlags

Fields

Default value

MappingsFlags.None

Specifies that the header region of the DLL should not be mapped

MappingsFlags.DiscardHeaders 

Specifies that the entry point of any TLS callbacks and the DLL should not be called

MappingsFlags.SkipInitRoutines