LoadLibrary_sysWOW64

Kernel32.dll _ SysWOW64

-- KernelBase.dll

-----------------------------------------------------------------------------------------------------

# LoadLibrary

LoadLibraryA -> LoadLibraryExA -> 유니코드변환 -> LoadLibraryExW

LoadLibraryW -> LoadLibraryExW

LoadLibraryExA -> 유니코드변환 -> LoadLibraryExW

- LoadLibraryA(LPCSTR lpLibFileName)

1. lpLibFileName이 존재하는지 여부 확인

LoadLibraryExA(lpLibFileName, 0, 0);

-----------------------------------------------------------------------------------------------------

- LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)

LSA_UNICODE_STRING UnicodeString;

1. sub_100FCCAA(&UnicodeString, (int)lpLibFileName)

- lpLibFileName의 문자열을 Uncode로 변환하는 함수로 추정

-----------------------------------------------------------------------------------------------------

- sub_100FCCAA(Pointer_UNICODE_STRING DestinationString, int a2)

1. RtlAnsiStringToUnicodeString 함수를 통해 Unicode로 변환

-----------------------------------------------------------------------------------------------------

2. LoadLibraryExW(UnicodeString.Buffer, hFile, dwFlags);

-----------------------------------------------------------------------------------------------------

- LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)

1. dwFlags 값이 0일때

LdrLoadDll(&v11, Source.Buffer, dwFlags & 0x7F08 | 1, &v11,  &Source, &v12);

LdrLoadDll은 4개 매개변수를 필요로하며, stdcall 방식

v11은 ecx에 있는 값이기때문에 생략되어짐

LdrLoadDll(Source.Buffer, dwFlags & 0x7F08 | 1, &v11, &Source, &v12);

-----------------------------------------------------------------------------------------------------

- LdrLoadDll(__int16 a1, _DWORD *a2, int a3, _DWORD *a4)

 sub_4B2C9CF8(*(_DWORD *)(a3+4), a1, &v9);

&v9에 memset(a3, 0, 80);을 통한 초기화를 진행

...

-----------------------------------------------------------------------------------------------------

2. LdrLoadDll 함수가 반환한 v12를 return 

-----------------------------------------------------------------------------------------------------