This project is a Proof of Concept (PoC) to demonstrate a technique for manually mapping a DLL into a target process and then loading another DLL in a way that appears legitimate.
I kinda got board and had an idea and just wanted to knwo if it worked
- Call Stack Spoofing: Uses CallStack-Spoofer to hide function calls.
- LdrLoadDll Hooking: calls LdrLoadDll to load kernel32.dll and intercepts it to redirect module loading.
- Stealth Techniques: Avoids direct WinAPI calls.
- The manual mapped DLL is injected into the target process.
- The LdrLoadDll function is hooked with a midhook using
SafetyHook. - The hook intercepts DLL load requests and redirects them to a specified DLL (
Internal.dll). - All hooks are removed after.
- Windows 10/11 (64-bit)
- Visual Studio with C++ support
- Clone the repository:
git clone https://github.com/TheRealJoelmatic/LdrLoadDll cd LdrLoadDll - Open the project in Visual Studio.
- Compile in x64 Release Mode.
- Ensure
Internal.dllexists at the specified path.
Use your preferred manual mapping injector to inject the compiled DLL into the target process. An example of a manlue mapper is Simple-Manual-Map-Injector
📂 InternalLoader
├── 📂 ext
│ │ ├── 📂 callstack
│ │ ├── 📂 stafyhook
├── 📂 src
│ ├── 📂 hooks
│ │ ├── hooks.cpp
│ │ ├── hooks.hpp
│ ├── 📂 utils
│ │ ├── manlueModules.cpp
│ │ ├── manlueModules.hpp
│ ├── dllmain.cpp
📂 Internal
│ dllmain.cpp
- Call Stack Spoofing: CallStack-Spoofer
- Hooking Library: SafetyHook
- Developed by: Joelmatic
- LdrLoadDll: API Reference
This project is for educational purposes only. Misuse of this code in a malicious manner is strictly discouraged. The author holds no responsibility for any damages caused by improper use.
📢 For research and learning purposes only!