The idea is to create a single .exe executable even if it uses dlls by embedding dlls as resources and somehow tricking Windows so that LoadLibrary loads them from there.

Simple solution

Mark libraries as delay loaded and on startup extract them to a unique directory and add that directory to load library path (so that LoadLibrary picks it up) or pre-load with LoadLibrary and absolute path, which should work for delay loaded libs.

Hook LoadLibrary

Another option is to use e.g. detours library to hook LoadLibrary call. If the file name matches our library, use custom implementation of LoadLibrary. Or call original LoadLibrary first and only if it fails and name matches, load custom (that way it'll pick up library if it's on disk.

Writing custom LoadLibrary might be hard. Some links:

LoadLibrary is implemented with LdrLoadDll

Hook lower-level library used by LoadLibrary

Writing LoadLibrary might be hard so what if we hooked just lower-level file access. Those seem to be NtOpenFile and the ones for mapping file into memory like NtMapViewOfSection. This is also difficult and would have to use undocumented structures.

Chrome has code for intercepting them: https://cs.chromium.org/chromium/src/sandbox/win/src/target_interceptions.cc?q=TargetNtMa&sq=package:chromium&g=0&l=27 (or search for TargetNtMapViewOfSection

Go to index of articles.

Share on