Skip to content

tinyBigGAMES/MemoryDLL

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MemoryDLL
Chat on Discord Follow on Bluesky

In-Memory Win64 DLL Loading & Execution for Pascal 💻🔄

Overview 📝

The MemoryDLL unit provides advanced functionality for loading dynamic-link libraries (DLLs) directly from memory in Win64 environments. Unlike traditional methods that involve loading DLLs from the file system, MemoryDLL allows you to load DLLs from byte arrays 📂 or memory streams 💾, retrieve function addresses, and unload them—all in-memory. This library is ideal for Delphi/FreePascal developers who need to manage DLLs without relying on the filesystem, enhancing both performance ⚡ and security 🔒.

Features ✨

  • MemoryLoadLibrary: Loads a DLL from a memory buffer without writing to the disk 💽.
  • FreeLibrary: Unloads the DLL from memory, ensuring all associated resources are properly released 🔄.
  • GetProcAddress: Retrieves the address of an exported function within the loaded DLL, enabling direct function calls 📞.
  • Comprehensive Error Handling: Manages issues such as invalid DLL data 🚫, memory allocation failures 🚨, and function resolution issues 🔧.

Key Benefits 🌟

  • Increased Security 🔒: By eliminating the need to store DLLs on disk, MemoryDLL reduces the risk of DLL hijacking and unauthorized access.
  • Performance Improvement ⚡: Since DLLs are handled in-memory, the overhead of disk I/O operations is avoided, resulting in faster execution 🚀.
  • Flexibility 🤹: Suitable for embedding DLLs in the main executable, loading encrypted 🔐 or obfuscated DLLs, and supporting dynamic plugin systems where plugins are provided as in-memory modules.

Implementation Details 🔍

MemoryDLL enables in-memory DLL loading and redirection by using placeholder DLLs and hook-based loading to bypass traditional file-based DLL loading:

  1. Hook-Based Loading 🚀: Redirects calls to load a specific DLL by monitoring attempts to load a placeholder DLL (e.g., advapi32res.dll). This DLL acts as a trigger for the hook to intercept and handle redirection to an in-memory DLL.
  2. Placeholder DLL 📂: The placeholder DLL, which can be any specified DLL file, is not embedded within the application. It is only used to initiate the hook process, allowing seamless redirection to the in-memory DLL.
  3. In-Memory Execution ⚙️: The redirected DLL operates fully in memory, making all its functions accessible as if loaded conventionally. This approach avoids dependence on the filesystem, enhancing both performance and security.

Compatibility 🤝: The MemoryDLL unit is compatible with standard DLL interfaces, allowing for easy integration with existing applications. The in-memory redirection method also reduces security risks, such as code injection 💉, offering a secure alternative for DLL management.

Usage Scenarios 🎯

Embedding DLLs 📦

  • Embed DLLs directly within your executable. MemoryDLL allows you to store DLLs as resources or encrypted data and load them into memory at runtime, removing the need to distribute them as separate files.

Encrypted DLL Loading 🔐

  • Enhance application security by storing DLLs in an encrypted form, which can then be decrypted into memory before loading with MemoryDLL. This reduces the risk of reverse engineering.

Dynamic Plugin Systems 🔌

  • Load plugins dynamically as in-memory DLLs. This approach provides a clean and secure method of extending application functionality without relying on the filesystem.

Public Functions 📖

MemoryLoadLibrary 📜

Loads a module from a memory image, mimicking the behavior of the Windows API LoadLibrary function. It parses the PE format, performs necessary relocations, resolves imports, and initializes the module.

  • Parameters: Data: Pointer – A pointer to the memory image