A tool for generating Windows DLL proxies with automatic export forwarding.
Now available as a PyPI package!
The DLL Proxy Generator creates fully functional Visual Studio C++ projects that can intercept calls to any Windows DLL. This enables various scenarios including:
- Function call interception and monitoring
- API hooking and modification
- DLL replacement without changing application code
- Debugging and reverse engineering
DLL proxying works by creating a DLL with the same name and exports as the original, but which forwards calls to the actual implementation DLL (renamed or relocated). The proxy sits between the application and the real DLL, allowing you to:
- Intercept function calls
- Modify parameters or return values
- Log API usage
- Forward calls to the original implementation
- Windows operating system
- Python 3.7+
- Visual Studio (for building the generated projects)
Install directly from PyPI:
pip install dllproxyAlternatively, clone the source:
# Clone the repository
git clone https://github.com/gilgoolon/dllproxy.git
cd dllproxy
# Install the package
pip install -e .Once installed, you can use the dllproxy-generate command-line tool:
dllproxy-generate -s <source_dll> -d <worker_dll> -o <output_directory>Where:
<source_dll>is the path to the DLL you want to proxy<worker_dll>is the path where the original DLL will be relocated<output_directory>is where the proxy project will be generated
If you don't need the source or simply want to build, use:
dllproxy-generate -s <source_dll> -d <worker_dll> -b# Generate a proxy for kernel32.dll
dllproxy-generate -s C:\Windows\System32\kernel32.dll -d C:\Windows\System32\malicious_dll.dll -o .\KernelProxy| Option | Description |
|---|---|
-s, --source-dll |
Path to the DLL to proxy (required) |
-d, --worker-dll |
Path to the actual implementation DLL (required) |
-o, --output |
Output directory for the generated project |
-b, --build |
Build the project after generation |
-p, --platform |
Target platform (x86 or x64, default: x64) |
The DLL keeps a worker thread alive forever - trying to start the destination worker DLL.
Additionally, the worker thread tries to call a 'run' function on the destination worker dll. Essentially, provide your "main" entrypoint/logic here:
void __cdecl run();And don't forget to export it at ordinal 1.
A system-wide mutex (with a constant GUID) is used to make sure the destination dll only has One instance loaded at a time.
Source.def decalres the name of the source DLL name.
Protections are used to catch exceptions from the worker dll to make the proxy safe.
You can modify the generated proxy to add custom logic:
- Open the generated project in Visual Studio
- Edit the function implementations in the source files
- Add your custom code before/after forwarding calls to the original DLL
The template includes hooks for adding logging to all function calls:
// Example of adding logging to a proxied function
BOOL WINAPI CreateProcessW_Proxy(/* parameters */) {
// Log the call
LogFunctionCall("CreateProcessW", /* parameters */);
// Forward to original implementation
return Original_CreateProcessW(/* parameters */);
}To deploy your proxy:
- Build the proxy DLL
- Rename the original DLL to match your worker DLL path if needed
- Place your proxy DLL in the original location
- The application will now load your proxy instead
- Missing exports: Ensure the proxy exports all functions from the original DLL
- DLL loading issues: Check that the worker DLL path is correct and accessible
- Build errors: Verify Visual Studio and required components are installed
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- pefile for PE file parsing