Tavis Ormandy (
LoadLibrary takes care of loading the library into memory and importing existing symbols, providing a Linux application with a dlopen-style API. The included code can be debugged using gdb, ASAN and Valgrind. It is possible to correct the executable code at runtime by connecting hooks and applying patches (runtime patching). C++ exception handling and unwinding are supported.
The goal of the project is to organize scalable and efficient distributed fuzzing testing of DLLs in a Linux-based environment. On Windows, fuzzing and coverage testing is not very efficient and often requires running a separate virtualized instance of Windows, especially when trying to analyze complex products such as antivirus software that cover both kernel and user space. Using LoadLibrary, Google researchers are looking for vulnerabilities in video codecs, anti-virus scanners, data decompression libraries, image decoders, and so on.
For example, using LoadLibrary, we managed to port the Windows Defender anti-virus engine to run on Linux. The study of mpengine.dll, which is the basis of Windows Defender, made it possible to analyze a large number of sophisticated handlers of various formats, file system emulators and language interpreters, potentially providing vectors for
LoadLibrary was also used in detection
Source: opennet.ru