explaingit

taviso/loadlibrary

4,483CAudience · researcherComplexity · 4/5Setup · hard

TLDR

A C library that lets Linux programs load and call code from Windows DLL files, primarily used by security researchers to run and fuzz Windows software like antivirus engines on Linux at scale.

Mindmap

mindmap
  root((loadlibrary))
    What it does
      Load Windows DLLs
      Call DLL functions
    Use cases
      Security fuzzing
      Antivirus research
      Codec testing
    Features
      gdb debugging
      Symbol loading
      Runtime patching
    Audience
      Security researchers
      Reverse engineers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run Windows Defender's scanning engine on Linux to fuzz it for security vulnerabilities using cheap Linux containers.

USE CASE 2

Test Windows video codec or image decoder libraries for crashes and memory bugs using Linux fuzzing tools.

USE CASE 3

Debug a Windows DLL on Linux using gdb with full symbol support, breakpoints, and backtraces.

USE CASE 4

Hook and patch Windows binary code at runtime without needing a Windows virtual machine.

Tech stack

CLinux

Getting it running

Difficulty · hard Time to first run · 1h+

Requires a Linux system plus the target Windows DLL, unsupported Windows API calls need custom stubs before the DLL will load.

In plain English

loadlibrary is a C library that lets Linux programs load and call functions from Windows DLL files. DLLs (Dynamic Link Libraries) are the binary format Windows uses to package reusable code, and they are normally incompatible with Linux. This library bridges that gap by implementing a custom loader that processes the Windows binary format, maps code and data into memory, and provides an interface for calling functions within the loaded file. The main use case described in the README is security research through fuzzing. Fuzzing is a technique where automated tools send large volumes of unusual or malformed input to a program to find crashes and bugs. Doing this on Linux is more practical than on Windows because Linux containers are lighter and cheaper to run, making it easier to scale up parallel test instances. The author demonstrates the technique by running the core scanning engine of Windows Defender on Linux, where it successfully identifies malware samples from the command line. The tool supports debugging through gdb, including symbols, breakpoints, watchpoints, and backtraces. Loading symbol information from IDA, a disassembly tool, is documented with step-by-step commands. Memory error detection tools also work with the loaded code. If a Windows function is not yet implemented in the stub layer, adding support for it is described as a straightforward task. Good candidates for this approach, according to the README, include video codecs, image decoders, compression libraries, and antivirus engines. The library handles C++ exception dispatch and stack unwinding, and supports runtime hooking and patching. The core loader component is derived from an earlier open-source Linux project called ndiswrapper.

Copy-paste prompts

Prompt 1
Show me how to use loadlibrary to load Windows Defender's mpengine.dll on Linux and scan a sample file for malware.
Prompt 2
How do I set up gdb with IDA symbols to debug a Windows DLL loaded via loadlibrary on Linux?
Prompt 3
I want to fuzz a Windows image decoder library on Linux using loadlibrary, walk me through the initial setup and a basic fuzzing loop.
Prompt 4
What Windows functions does loadlibrary stub out by default, and how do I add a stub for a missing function?
Open on GitHub → Explain another repo

← taviso on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.