x64 memdll support

README.md

@@ -1,11 +1,105 @@
 # MemoryModule
 A tool to parse and load module in memory, as well as attach a DLL in EXE.
 
-## winpe
+Most of the functions are inline, so that it can also be used in shellcode.
+
+## compile
+
+```shell
+cd ./src/memdll
+pip install lief
+pip install keystone
+make ARCH=i686  # x86 release
+make ARCH=x86_64 # x64 release 
+make ARCH=i686 DEBUG=1 # x86 debug
+make ARCH=x86_64 DEBUG=1 # x64 debug
+```
+
+## usage
+
+### load DLL in memory
+
+```c
+const char *dllpath = "test.dll";
+size_t mempesize = 0;
+void *memdll = NULL;
+
+// load the pe file in memory and align it to memory align
+void *mempe = winpe_memload_file(dllpath, &mempesize, TRUE); 
+
+// memory loadlibrary
+memdll = winpe_memLoadLibrary(mempe);
+winpe_memFreeLibrary(memdll);
+
+// memory loadlibrary at specific address
+size_t targetaddr = sizeof(size_t) > 4 ? 0x140030000: 0x90000;
+memdll = winpe_memLoadLibraryEx(memdll, targetaddr, 
+    WINPE_LDFLAG_MEMALLOC, (PFN_LoadLibraryA)winpe_findloadlibrarya(), 
+    (PFN_GetProcAddress)winpe_memGetProcAddress);
+winpe_memFreeLibrary(memdll);
+free(mempe);
+```
+
+
+
+### attach DLL in exe
+
+```shell
+win_injectmemdll.exe exepath dllpath [outpath]
+```
+
+## memory module API
 
 These functions are essential to load memory module in windows. 
 
 ```c
+/*
+  similar to LoadlibrayA, will call dllentry
+  will load the mempe in a valid imagebase
+    return hmodule base
+*/
+WINPEDEF WINPE_EXPORT
+inline void* STDCALL winpe_memLoadLibrary(void *mempe);
+
+/*
+  if imagebase==0, will load on mempe, or in imagebase
+  will load the mempe in a valid imagebase, flag as below:
+    WINPE_LDFLAG_MEMALLOC 0x1, will alloc memory to imagebase
+    WINPE_LDFLAG_MEMFIND 0x2, will find a valid space, 
+        must combined with WINPE_LDFLAG_MEMALLOC
+    return hmodule base
+*/
+WINPEDEF WINPE_EXPORT
+inline void* STDCALL winpe_memLoadLibraryEx(void *mempe, 
+    size_t imagebase, DWORD flag,
+    PFN_LoadLibraryA pfnLoadLibraryA, 
+    PFN_GetProcAddress pfnGetProcAddress);
+
+/*
+   similar to FreeLibrary, will call dllentry
+     return true or false
+*/
+WINPEDEF WINPE_EXPORT
+inline BOOL STDCALL winpe_memFreeLibrary(void *mempe);
+
+/*
+   FreeLibraryEx with VirtualFree custom function
+     return true or false
+*/
+WINPEDEF WINPE_EXPORT
+inline BOOL STDCALL winpe_memFreeLibraryEx(void *mempe, 
+    PFN_LoadLibraryA pfnLoadLibraryA, 
+    PFN_GetProcAddress pfnGetProcAddress);
+
+/*
+   similar to GetProcAddress
+     return function va
+*/
+WINPEDEF WINPE_EXPORT
+inline PROC STDCALL winpe_memGetProcAddress(
+    void *mempe, const char *funcname);
+
+// mempe internal functions
 /*
   load the origin rawpe in memory buffer by mem align
     return memsize
@@ -31,21 +125,8 @@ size_t winpe_membindiat(void *mempe,
 
 See `winpe.h`  for parsing and loading PE structure in detail.
 
-## compile
+## known issues
 
-```shell
-cd ./src/memdll
-pip install lief
-pip install keystone
-make ARCH=i686  # x86 release
-make ARCH=x86_64 # x64 release 
-make ARCH=i686 DEBUG=1 # x86 debug
-make ARCH=x86_64 DEBUG=1 # x64 debug
-```
-
-## usage
-
-```shell
-win_injectmemdll exepath dllpath [outpath]
-```
+*  attach x64 DLL to exe crash on calling some windows API
 
+  (load x64 DLL in memory after main function doesn't have this problem)

src/memdll/Makefile

@@ -1,3 +1,5 @@
+# make -j12 ARCH=i686 && make -j12 ARCH=i686 DEBUG=1
+# make -j12 ARCH=x86_64 && make -j12 ARCH=x86_64 DEBUG=1
 LIBPREFIX?=./../../
 ARCH?=i686
 PREFIX?=./bin
@@ -60,7 +62,8 @@ prepare:
 libwinpe: libwinpe.c
 	@echo \#\#building $@ ...
 	$(CC) $< -o $(PREFIX)/$@$(ARCH_POSTFIX)$(DLL_EXT) \
-		-shared $(CFLAGS) $(LDFLAGS) $(INCS) $(LIBS) $(LIBDIRS)
+		-shared -Wl,/DEF:$@.def\
+		$(CFLAGS) $(LDFLAGS) $(INCS) $(LIBS) $(LIBDIRS)
 
 win_injectmemdll_shellcodestub: win_injectmemdll.c libwinpe
 	python $@.py $< \

src/memdll/libwinpe.def

@@ -0,0 +1,23 @@
+EXPORTS
+    winpe_appendsecth
+    winpe_findgetprocaddress
+    winpe_findkernel32
+    winpe_findloadlibrarya
+    winpe_findspace
+    winpe_imagebaseval
+    winpe_memFreeLibrary
+    winpe_memFreeLibraryEx
+    winpe_memGetProcAddress
+    winpe_memLoadLibrary
+    winpe_memLoadLibraryEx
+    winpe_membindiat
+    winpe_memfindexp
+    winpe_memfindiat
+    winpe_memforwardexp
+    winpe_memload
+    winpe_memload_file
+    winpe_memreloc
+    winpe_noaslr
+    winpe_oepval
+    winpe_overlayload_file
+    winpe_overlayoffset