/Lunar

A lightweight native DLL mapping library that supports mapping directly from memory

Primary LanguageC#MIT LicenseMIT

Lunar

A lightweight native DLL mapping library that supports mapping directly from memory


Features

  • WOW64 and x64 support
  • Imports and delay imports are resolved
  • Necessary relocations are performed
  • Image sections are mapped with the correct page protection
  • Security cookie is initialised
  • Exception handling is set up for both SEH and C++ exceptions
  • Entry point and TLS callbacks are called with ProcessAttach and ProcessDetach

Getting started

The example below demonstrates a simple implementation of the library

var libraryMapper = new LibraryMapper(process, dllBytes);

// Map the DLL into the process

libraryMapper.MapLibrary();

// Unmap the DLL from the process

libraryMapper.UnmapLibrary();

Constructors

LibraryMapper(Process, Memory<byte>)

Provides the functionality to map a DLL from memory into a remote process

LibraryMapper(Process, string)

Provides the functionality to map a DLL from disk into a remote process


Properties

DllBaseAddress

The base address of the DLL in the remote process after it has been mapped


Methods

MapLibrary()

Maps the DLL into the remote process

UnmapLibrary()

Unmaps the DLL from the remote process


Caveats

  • Mapping requires the presence of a PDB for ntdll.dll, and, so, the library will automatically download the latest version of this PDB from the Microsoft symbol server and cache it in %appdata%/Lunar/Dependencies