installing from aur

Cloning into bare repository '/user/Downloads/loadlibrary-git/loadlibrary'...
remote: Counting objects: 228, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 228 (delta 0), reused 2 (delta 0), pack-reused 223
Receiving objects: 100% (228/228), 807.63 KiB | 0 bytes/s, done.
Resolving deltas: 100% (73/73), done.
-> Found mpam-fe.exe
==> Validating source files with md5sums...
loadlibrary ... Skipped
mpam-fe.exe ... Passed
==> Extracting sources...
-> Creating working copy of loadlibrary git repo...
Cloning into 'loadlibrary'...
done.
-> Extracting mpam-fe.exe with bsdtar
mpengine.dll: LZX decompression failed (-25)
bsdtar: Error exit delayed from previous errors.
==> ERROR: Failed to extract mpam-fe.exe
Aborting...

I have a Windows 64 bit DLL:

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Will loadlibrary allow me to load this into a 64 bit app built with gcc?

Or does loadlibrary only work for a 32bit runtime?

After updating the engine to version 1.1.14202.0, mpclient isn't able to load DllMain.

root@093c610a27cc:/loadlibrary$ gdb -q ./mpclient
Reading symbols from ./mpclient...done.
(gdb) r /eicar.txt
Starting program: /loadlibrary/mpclient /eicar.txt
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1

Program received signal SIGSEGV, Segmentation fault.
0xf6d35fbe in ?? ()
(gdb) bt
#0  0xf6d35fbe in ?? ()
#1  0xf6d360f3 in ?? ()
#2  0xf6d34e05 in ?? ()
#3  0xf6d32bf0 in ?? ()
#4  0xf6d32bc5 in ?? ()
#5  0xf6d32dff in ?? ()
#6  0xf6d32f06 in ?? ()
#7  0x56557013 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at mpclient.c:193

Hi Tavis,

Thank you for the excellent tool. I am trying to find mpengine.dll with debug symbols. The latest version (September) doesn't have them and I don't want to wait when MS release it. So I am looking for August version of mpengine but it seems to be very hard to find it. Could you recommend me some technique/place to look for old MS libraries? I tried to download old release of Windows 10 (1803, August build) but they supply it with March version of mpengine.

Thank you in advance.

Hi.
I'm trying to use this tool to port EPANET's programming toolkit (epanet2.dll) to linux using Ubuntu.
Any guidelines on how to go about with it ?
Find the dll here:
https://www.epa.gov/sites/production/files/2014-06/en2toolkit.zip

You probably want to use __sync_fetch_and_sub in

Cool project!

Several of the header files are not already available on macOS, e.g.

loadlibrary$ make
cc -O3 -march=native -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -Iinclude -mstackrealign -DNDEBUG -D_GNU_SOURCE -I. -Iintercept -Ipeloader -c -o mpclient.o mpclient.c
mpclient.c:31:10: fatal error: 'asm/unistd.h' file not found
#include <asm/unistd.h>
^~~~~~~~~~~~~~
1 error generated.
make: *** [mpclient.o] Error 1

Have other people managed to get the example to build out of the box on macOS?

Thanks!

Hi @taviso,

Very useful, thank you. Assuming that you have DLL source code and that someone (maybe me ;)) adds AFL compatible instrumentation through VC, am I right that this would allow fuzzing Windows DLLs through AFL on Linux?

If so, that would be pretty amazing.

https://www.microsoft.com/en-us/wdsi/definitions

Version: 1.261.1314.0
Released: Feb 17,2018 10:31 PM UTC

after downloading the new file and extracting the file into the engine folder the version I'm getting is

exiftool mpengine.dll | grep 'Product Version Number'

Product Version : 1.1.14500.5

why isn't the numbers the same ?

I've tried deleting all the files in the engine folder and then using cabextract but the version number is still the same

mofugly@yomoma:~/loadlibrary$ ./mpclient ~/scanfiles/files/f823a2f7cd40b8e86ec70b71a5a68cbb
main(): Scanning /home/mofugly/scanfiles/files/f823a2f7cd40b8e86ec70b71a5a68cbb...
Segmentation fault

Running mpclient causes a segfault. Running it via gdb shows this happens on line 187 (0x080492e3 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at mpclient.c:187)
aka
image.entry((PVOID) 'MPEN', DLL_PROCESS_ATTACH, NULL);

Running on Gentoo x86_64
mpengine version: 1.1.13704.0

In winnt_types.h, both BOOL and BOOLEAN are typedefed as uint8_t. However, in actual windows headers, BOOL is typedefed as an int (and BOOLEAN is an unsigned char, so that definition is correct).

@taviso Extremely intrigued by loadlibrary and would love to get going with it but am very clueless about how to get going.

In particular I am trying to load Windows' SWI32 DLL on *nix.

I have access to Ubuntu and macOS boxes (at the moment).

Do you by any chance have the time to assist?

Many thanks.

mail () The map file wasn't found, symbols wont be available

DE : Gnome shell
OS: Arch

https://www.microsoft.com/security/portal/definitions/adl.aspx#manual

Does the virus definitions cover syware and malware ? I noticed on the bottom of the page there's antimalware definitions can these be added to the engine scan ?

https://go.microsoft.com/fwlink/?LinkID=187316&arch=x86&nri=true

I'm aware these are for realtime scanning but can they still be used with this tool

after cost some time ,I have rewrite the mscript in windows platfrom. Thanks taviso.

I was able to compile it and run it but it's unable to identify this trojan that was detected on a windows 7 machine.

here is the output:

./mpclient VirusShare_ff74744c2b41a961239b45e963613add
main(): Scanning VirusShare_ff74744c2b41a961239b45e963613add...
EngineScanCallback(): Scanning input
EngineScanCallback(): Scanning archive member !Unpack:aplib_034
EngineScanCallback(): Scanning archive member !Unpack:aplib_034
EngineScanCallback(): Scanning archive member !Unpack:aplib_034
EngineScanCallback(): Scanning archive member !Unpack:aplib_034

when modifying mpclient to load a dll that depends on msvcrt.dll I get the following error when running the entry point:
function at 0xf72cad9b attempted to call an unknown symbol.

Is there a good way to figure out what the unknown symbol is?

Regarding the different architecture definitions i.e x86 and x64

when I want to check a file for both architectures do I have to download the x64 and do a cab extract and visa versa to check different architecture for viruses

what about viruses built with x64 architecture ?

I noticed when I delete the files in the engine folder and download the x64 mpam-fe and extract I get an error

mpclient /user/eicar.txt
pelinker (link_pe_images:531): type <= 0
mpclient: Failed to resolve mpengine entrypoint

I have to download the x86 and remove the files and use cabextract and then it works again

What a cool project!

EDIT: it's not the scanning that takes 11 seconds, but also just starting mpclient without parameters and thus no scanning at all:

sander@haring:~/git/loadlibrary$ time ./mpclient
main(): The map file wasn't found, symbols wont be available
main(): usage: ./mpclient [filenames...]

real    0m12.162s
user    0m8.300s
sys     0m1.188s
sander@haring:~/git/loadlibrary$

OLD:
I have a question: scanning EICAR.COM takes 11 seconds. Is that normal & as expected?

sander@haring:~/git/loadlibrary$ time ./mpclient eicar.com
main(): The map file wasn't found, symbols wont be available
main(): Scanning eicar.com...
EngineScanCallback(): Scanning input
EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified.

real    0m11.595s
user    0m7.692s
sys     0m1.148s

FWIW: CPU is an Intel(R) Xeon(R) CPU E5335, RAM is 512MB.

I apologize for this noob-ish issue

pe_linker.c: In function 'setup_nt_threadinfo':
pe_linker.c:650:17: error: '__NR_modify_ldt' undeclared (first use in this function)
     if (syscall(__NR_modify_ldt, LDT_WRITE, &pebdescriptor, sizeof pebdescriptor) != 0) {
                 ^
pe_linker.c:650:17: note: each undeclared identifier is reported only once for each function it appears in
<builtin>: recipe for target 'pe_linker.o' failed
make[1]: Leaving directory '/windef/loadlibrary/peloader'
make[1]: *** [pe_linker.o] Error 1
make: *** [peloader] Error 2

My build env is here

you are THE MAN btw 😄

I'm working on support for an alternative DLL, but I'm stumped by a segfault when DLLMain gets called.

I've added the stubs for the missing symbols, to my fork (GetStringTypeA, SetHandleCount, GetStartupInfoA). I've gone through the other stubs that are called and can't see any obvious candidates that would lead to a segfault.

Any pointers on how to address this or go about further debugging would be much appreciated. Unfortunately I can't provide a copy of the library, but the API itself is quite straightforward.

Output from gdb:

Reading symbols from ./tools...done.
(gdb) r
Starting program: /home/ubuntu/software/loadlibrary/tools 
pe_load_library(): successfully mapped engine/tools.dll@0xf7fb8000
pelinker (import:272): unknown symbol: KERNEL32.dll:ExitProcess
pelinker (import:272): unknown symbol: KERNEL32.dll:TerminateProcess
pelinker (import:272): unknown symbol: KERNEL32.dll:HeapDestroy
pelinker (import:272): unknown symbol: KERNEL32.dll:SetFilePointer
pelinker (import:272): unknown symbol: KERNEL32.dll:FreeEnvironmentStringsA
pelinker (import:272): unknown symbol: KERNEL32.dll:GetEnvironmentStrings
pelinker (import:272): unknown symbol: KERNEL32.dll:SetStdHandle
pelinker (import:272): unknown symbol: KERNEL32.dll:FlushFileBuffers
pelinker (import:272): unknown symbol: KERNEL32.dll:CreateFileA
pelinker (import:272): unknown symbol: KERNEL32.dll:GetOEMCP
pelinker (import:272): unknown symbol: KERNEL32.dll:LoadLibraryA
pelinker (import:272): unknown symbol: KERNEL32.dll:LCMapStringA
main(): GDB: add-symbol-file engine/tools.dll 0xf7d73008+0x1000
main(): GDB: shell bash genmapsym.sh 0xf7d73008+0x1000 symbols_19959.o < engine/tools.map
main(): GDB: add-symbol-file symbols_19959.o 0

Program received signal SIGTRAP, Trace/breakpoint trap.
0x5655c729 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at tools.c:105
warning: Source file is more recent than executable.
105	        __debugbreak();
(gdb) add-symbol-file engine/tools.dll 0xf7d73008+0x1000
add symbol table from file "engine/tools.dll" at
	.text_addr = 0xf7d74008
(y or n) y
Reading symbols from engine/tools.dll...(no debugging symbols found)...done.
(gdb) shell bash genmapsym.sh 0xf7d73008+0x1000 symbols_19959.o < engine/tools.map
(gdb) add-symbol-file symbols_19959.o 0
add symbol table from file "symbols_19959.o" at
	.text_addr = 0x0
(y or n) y
Reading symbols from symbols_19959.o...done.
(gdb) c
Continuing.
GetVersion(): 
HeapCreate(): 0, 4096, 0
TlsSetValue(): TlsSetValue(0, 0xf7ba2f88)
GetCommandLineA(): 
GetEnvironmentStringsW(): 
WideCharToMultiByte(): 0, 0, 0x565ae0e0, 65, (nil), 0, (nil), (nil)
WideCharToMultiByte(): cchWideChar == 65, Ansi: [ALLUSERSPROFILE=AllUsersProfile]
FreeEnvironmentStringsW(): 0x565ae0e0
GetStartupInfoA(): GetStartupInfoA(0xffffd07c)
GetStdHandle(): -10
GetFileType(): (nil)
GetStdHandle(): -11
GetFileType(): 0x1
GetStdHandle(): -12
GetFileType(): 0x2
SetHandleCount(): 32
GetACP(): 
GetCPInfo(): 65001, 0xffffd088
GetCPInfo(): 65001, 0xffffd060
GetStringTypeW(): 1, 0xf7d867e0, 1, 0xffffcb1c
GetStringTypeA(): 0, 1, 0xf7d867dc, 1, 0xffffcb1c
LCMapStringW(): 0, 0x100, 0xf7d867e0, 1, (nil), 0
MultiByteToWideChar(): 65001, 0x1, 0xffffcf60, 256, (nil), 0
MultiByteToWideChar(): 65001, 0x1, 0xffffcf60, 256, 0xffffc8e0, 256
LCMapStringW(): 0, 0x100, 0xffffc8e0, 256, (nil), 0
LCMapStringW(): 0, 0x100, 0xffffc8e0, 256, 0xffffc8dc, 1
WideCharToMultiByte(): 65001, 0x220, 0xffffc8dc, 1, 0xffffce60, 256, (nil), (nil)
WideCharToMultiByte(): cchWideChar == 1, Ansi: [�]
MultiByteToWideChar(): 65001, 0x1, 0xffffcf60, 256, (nil), 0
MultiByteToWideChar(): 65001, 0x1, 0xffffcf60, 256, 0xffffc8c0, 256
LCMapStringW(): 0, 0x200, 0xffffc8c0, 256, (nil), 0
LCMapStringW(): 0, 0x200, 0xffffc8c0, 256, 0xffffc8bc, 1
WideCharToMultiByte(): 65001, 0x220, 0xffffc8bc, 1, 0xffffcd60, 256, (nil), (nil)
WideCharToMultiByte(): cchWideChar == 1, Ansi: [�]
GetModuleFileNameA(): (nil), 0xf7d8a62c, 260

Program received signal SIGSEGV, Segmentation fault.
0xf7d8055a in loc_1000D552 () at {standard input}:3208
3208	{standard input}: No such file or directory.
(gdb) bt
#0  0xf7d8055a in loc_1000D552 () at {standard input}:3208
#1  0x00000000 in ?? ()
(gdb) 

Hi taviso,
I'm building a project on Windows for call mpengine.dll for scanning virus, rely on your loadlibrary project. My goal is it can run on multithread. I know that mpengine.dll does not support multithread itself. So, I clone the mpengine.dll to multiple files like mpengine_1.dll, mpengine_2.dll... And then I call them separately and running parallel (for multithread). I running test for multiple time and the results are stable. But I notice that when the program is running, it create the files like "mpcache-D14D2B99286F81AB78D33517A803982C748A293D.bin". I think those files are the cache files for improving performance when scanning the same file again, the engine just needs to read from those cache file. This does not happen when I running with 1 thread (mean only one file mpengine.dll was call). Do you have any suggestion for this?
Thank you.
Thuong Le,

HI. Thanks for your work! @taviso
These days I was trying to test mpclient with AFL in qemu-mode. But a problem comes to me and I cannot handle it. There is a “PROGRAM ABORT : Fork server handshake failed” wrong. Here attaching a screen-shot.Could you help me check out what's wrong with it and tell me how to test mpclient with AFL in qemu-mode?
Thank you very much!

is this just a proof of concept thing or arfe you going to keep going with this
It would nice to have some options like mpclient update from the command line

does windows defender use the extact same virus defentions database as windows security essentials ?

Pulled latest:
:~/loadlibrary$ git pull
remote: Counting objects: 15, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 15 (delta 12), reused 14 (delta 12), pack-reused 1
Unpacking objects: 100% (15/15), done.
From https://github.com/taviso/loadlibrary
0847ba8..45296de master -> origin/master
Updating 0847ba8..45296de
Fast-forward
genmapsym.sh | 2 +-
peloader/winapi/Locale.c | 8 ++++----
peloader/winapi/Strings.c | 44 ++++++++++++++++++++++++++------------------
peloader/winapi/SystemTime.c | 8 ++++++++
4 files changed, 39 insertions(+), 23 deletions(-)

Tried to scan file MD5 b3f3f1e82faee94eb043d27c8ec87a87
:~/loadlibrary$ ./mpclient /yarfukt/418506f1a541fdc1cc6f42a596dcd76ce13ba9d151830b4cb784bde6f3b82389
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
MultiByteToWideChar(): Unsupported Conversion Flags 0x1
Segmentation fault (core dumped)

./mpclient /user/textfile

main(): Scanning /root/textfile...
EngineScanCallback(): Scanning input
EngineScanCallback(): Threat Virus:DOS/EICAR_Test_File identified.

is there a way to only either grep or only print part of the output like print only 'Treat Virus' I've tried the below and other grep methods but cant seem to limit the output

./mpclient /user/textfile > /dev/null | awk -F ":" '{print $2}' ## does'nt work

FYI:
The version breaks loadlibrary.
Product Version Number : 1.1.15300.6

 ./mpclient README.md 
main(): Scanning README.md...
mpclient: function at 0xf69e513c attempted to call an unknown symbol
Trace/breakpoint trap (core dumped)

Hi taviso,

Quick question regarding this bash script, I am not quite sure what I'm missing here but awk is yelling at me:

(gdb) add-symbol-file engine/mpengine.dll 0xb50ef008+0x1000
add symbol table from file "engine/mpengine.dll" at
	.text_addr = 0xb50f0008
(y or n) y
Reading symbols from engine/mpengine.dll...(no debugging symbols found)...done.
(gdb) shell bash genmapsym.sh 0xb50ef008+0x1000 symbols_3456.o < engine/mpengine.map
awk: line 6: regular expression compile failed (bad class -- [], [^] or [)
[
awk: line 6: missing ) near }
awk: 6: unexpected character '\'
awk: line 6: syntax error at or near [
awk: line 6: extra ')'
(gdb)

Sample of the map file..

$ cat engine/mpengine.map
Start         Length     Name                   Class
 0002:00000000 0009309C6H .text                  CODE
 0003:00000000 00002BCA1H .data                  DATA
 0004:00000000 00000277AH .idata                 DATA
 0005:00000000 00002A338H .rsrc                  DATA


  Address         Publics by Value

 0001:00000300       String1
 0001:00001E4D       nullsub_1
 0001:00005598       a1U
 0001:00014D14       lpProcName
 0001:00015690       ExceptionInfo
-- cut --
 0003:000005B4       ___guard_check_icall_fptr
0003:000005B8       __IMPORT_DESCRIPTOR_ntdll
0003:000005CC       __IMPORT_DESCRIPTOR_KERNEL32
0003:000005E0       __IMPORT_DESCRIPTOR_ADVAPI32
0003:000005F4       __IMPORT_DESCRIPTOR_OLEAUT32
0003:00000CEE       aNtdll_dll
0003:00001678       aKernel32_dll
0003:00001928       aAdvapi32_dll
0003:00001936       aOleaut32_dll

 Program entry point at 0001:0049E090

As you can see it looks like it's a proper generated file with the symbols yet the awk won't run!

Last but not least apparently you used PIN for coverage, right?
Thanks :)

Can be used in embedded Linux based on ARM ?
thx.

Hello

My story is - I have a windows dll (a client for a web service) that I am currently using on Ubuntu with aid of Wine. This works fine-ish.

However I am interested in a more lightweight solution that can be used in containers.

I tried to get started but I'm not sure how I should use loadlibrary.

I tried:
./mpclient service_client.dll
And got:

main(): Scanning  service_client.dll...
EngineScanCallback(): Scanning input
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
EngineScanCallback(): Scanning archive member !Themida
y

Can you let me know if loadlibrary is able to provide a wrapper, or a way to run my dll on Linux? Any guidance is appreciated.

Thanks

can you try to port windows vst which is .dll (maybe try https://www.xferrecords.com/products/serum) to be able to use them with bitwig studio (www.bitwig.com) linux

Hello taviso.
You have a great app, unfortunately this app does not have a logo yet, may I donate a logo for your app?

I've gotten the binary to run on a Ubuntu host (with CONFIG_MODIFY_LDT_SYSCALL set), but not in a Docker container on that Ubuntu host. Running with --privileged:

(gdb) run
Starting program: /loadlibrary/mpclient

Program received signal SIGILL, Illegal instruction.
init_mparams () at codealloc.h:3091
3091	        ((psize            & (psize-SIZE_T_ONE))            != 0))
(gdb) bt
#0  init_mparams () at codealloc.h:3091
#1  sys_alloc (m=0x8094bc0 <_gm_>, nb=10444808) at codealloc.h:3994
#2  code_malloc (bytes=<optimized out>) at codealloc.h:4621
#3  fix_pe_image (pe=0xffffdc30) at pe_linker.c:455
#4  link_pe_images (pe_image=0xffffdc30, n=1) at pe_linker.c:535
#5  0x080492e8 in main (argc=1, argv=0xffffde24, envp=0xffffde2c)
    at mpclient.c:140
(gdb) x/i $pc
=> 0x80549d2 <link_pe_images+1266>:	blsr   %eax,%edx
(gdb) i r
eax            0x1000	4096
ecx            0xa10e90	10555024
edx            0xffffdc30	-9168
ebx            0xf73ca128	-147021528
esp            0xffffdb00	0xffffdb00
ebp            0xffffdb68	0xffffdb68
esi            0x102	258
edi            0x9f6008	10444808
eip            0x80549d2	0x80549d2 <link_pe_images+1266>
eflags         0x10286	[ PF SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x7	7
gs             0x63	99

Would you like to add more error handling for return values from functions like the following?

• fgetc ⇒ process_extra_exports
• fseek ⇒ ReadStream

Hi, Amazing work there mate thanks a lot!

I was just trying to reproduce the code coverage tool but its not working and im not getting any output from anywhere

its been there more than 10 minutes , any ideas why could that be? thanks

I would like to point out that identifiers like “__OPENSCAN_H” and “__rsignal” do eventually not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?

Not an issue

Im running loadlibrary in docker with the ubuntu:18:04 image and the default seccomp policy blocks it from running due to sigprocmask syscall being blocked by docker's policy.

Whitelist this syscall and you are good to go.

Hope this helps other people.

Hi,
It seems that mpscript is looking to find strtod in export functions from mpengine.dll, but it is not there! I checked some different version of that dll none of them had strtod exported!
Am i missing something?(I created .map file etc...)

Thanks

I am confused why should hook this function

I have not been able to compile successfully for a 64-bit system.

"incompatible with i386:x86-64 output" is the problem obviously.

Have you considered porting it or do you only use on 32-bit systems?

mpclient: function at 0xf616cf78 attempted to call an unknown symbol
Trace/breakpoint trap

I wanted to use your project to play with Windows Defender as an AV tool, so I added some basic JSON support with the JSON-C ( https://github.com/json-c/json-c ) library. It just marshals up a bit of your struct and dumps it out at the end.
loadlibrary-jsonout.zip

Built using this Dockerfile

root@0a074ee74665:/loadlibrary# ./mpclient /malware/EICAR
main(): The map file wasn't found, symbols wont be available
Segmentation fault

😢

Just noticed this. The Excel file has been used to test the update and worked previously. Not sure how to debug.

2017-08-29 08:53:20 (6.24 MB/s) - ‘mpam-fe.exe’ saved [141828368/141828368]

Extracting cabinet: mpam-fe.exe
extracting engine/MPSigStub.exe
extracting engine/mpavdlta.vdm
extracting engine/mpasdlta.vdm
extracting engine/mpavbase.vdm
extracting engine/mpasbase.vdm
extracting engine/mpengine.dll

All done, no errors.

:~/loadlibrary$ file fd57a4cba764b6d325bbf3b0b13de014d30a774b
fd57a4cba764b6d325bbf3b0b13de014d30a774b: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: contador, Last Saved By: Rafael Lucena, Name of Creating Application: Microsoft Excel, Last Printed: Fri Sep 28 18:17:32 2012, Create Time/Date: Tue Aug 21 12:07:29 2007, Last Saved Time/Date: Fri Sep 28 18:21:41 2012, Security: 0

c:~/loadlibrary$ ./mpclient fd57a4cba764b6d325bbf3b0b13de014d30a774b
Segmentation fault (core dumped)

:~/loadlibrary$ exiftool engine/mpengine.dll
ExifTool Version Number : 10.10
File Name : mpengine.dll
Directory : engine
File Size : 10 MB
File Modification Date/Time : 2017:08:23 20:05:12-07:00
File Access Date/Time : 2017:08:29 08:53:38-07:00
File Inode Change Date/Time : 2017:08:29 08:53:27-07:00
File Permissions : r--r--r--
File Type : Win32 DLL
File Type Extension : dll
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2017:08:13 09:26:21-07:00
PE Type : PE32
Linker Version : 14.10
Code Size : 9821184
Initialized Data Size : 906240
Uninitialized Data Size : 0
Entry Point : 0x4e8d30
OS Version : 10.0
Image Version : 10.0
Subsystem Version : 5.1
Subsystem : Windows command line
File Version Number : 1.1.14104.0
Product Version Number : 1.1.14104.0
File Flags Mask : 0x003f
File Flags : (none)
File OS : Windows NT 32-bit
Object File Type : Dynamic link library
File Subtype : 0
Language Code : English (U.S.)
Character Set : Unicode
Company Name : Microsoft Corporation
File Description : Microsoft Malware Protection Engine
Internal Name : mpengine
Legal Copyright : © Microsoft Corporation. All rights reserved.
Original File Name : mpengine.dll
Product Name : Microsoft Malware Protection
File Version : 1.1.14104.0
Product Version : 1.1.14104.0

 make

cc -O3 -march=native -ggdb3 -m32 -std=gnu99 -fshort-wchar -Wno-multichar -Iinclude -DNDEBUG -D_GNU_SOURCE -I. -Iintercept -Ipeloader -c -o mpclient.o mpclient.c
In file included from /usr/include/features.h:392:0,
from /usr/include/stdio.h:27,
from mpclient.c:19:
/usr/include/gnu/stubs.h:7:27: fatal error: gnu/stubs-32.h: No such file or directory

include <gnu/stubs-32.h>

                       ^
                  ^

Hi, what a cool project! It will make scalds in Redmont (one commented, who brought me here :-)

Can you use this error message? I can not. Thank you

The __CRT_INIT@12 does:
mov eax, dword ptr fs:[18h]
mov eax, dword ptr [eax+4]

The load from fs:[18h] gives 0 in loadlibrary and a valid pointer on windows