# LibTPLoadLib

**Repository Path**: zyjsuper/LibTPLoadLib

## Basic Information

- **Project Name**: LibTPLoadLib
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2025-12-08
- **Last Updated**: 2025-12-08

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# LibTPLoadLib

Using call gadgets to break the [call stack signature used by Elastic on proxying a module load](https://github.com/elastic/protections-artifacts/blob/6e9ee22c5a7f57b85b0cb063adba9a3c72eca348/behavior/rules/windows/defense_evasion_library_loaded_via_a_callback_function.toml). Provided as a [Crystal Palace](https://tradecraftgarden.org/crystalpalace.html) shared library. Format inspired by @rasta-mouse's [LibTP](https://github.com/rasta-mouse/LibTP).

**WARNING ⚠️** : This project is not usable as-is. The call gadget used for this PoC is no longer available in current versions of Windows. You'll have to find your own. [Read the blogpost for more info](https://offsec.almond.consulting/evading-elastic-callstack-signatures.html).

## How

1. Compile the project: `make`. The output is two Crystal Palace shared libraries: `libtploadlib_vanilla.x64.zip` (not using the gadget, for demonstration of the detection) and `libtploadlib_gadget.x64.zip` (using the gadget).

2. Compile the example COFF (that will just load `wininet.dll` using the shared library and print its address): `cd example_print && make`. The output will be a COFF file `example_print.x64.o`.

3. Link the whole thing using Crystal Palace to make PIC shellcode. Use the tradecraft garden's Simple PIC spec file, modifying it to merge in the `libtploadlib` zip wanted (`mergelib "path/to/libtploadlib_XXX.x64.zip"`): `path/to/crystalpalace/link simplepic_modified/loader.spec example_print/example_print.x64.o out.bin`.

4. For this PoC: download [dsdmo.dll](https://winbindex.m417z.com/?file=dsdmo.dll) in version `10.0.26100.1882` and place it at `C:\dsdmo_10.0.26100.1882.dll`.

5. Run the shellcode using any loader.