Windows 10 PE image loader (LDR) NTDLL component toolbox
Toolbox to assist debugging, tracing and memory inspection of Windows PE image loader (LDR) NTDLL component.
$(SolutionDir)bin\$(Configuration)\
folder to remote machineLoaderWatch.CLI.exe [executable]
, executable is notepad.exe
by defaultNote: you will likely need to start LoaderWatch.CLI.exe
as administrator at least once for each executable you want to debug (to set ShowSnaps
flag in registry for the executable image).
Note: you might need to create C:\Symbols
directory to preserve PDB files.
Note: .NET Core 3.0 will not suffice.
Note: Unless you publish LoaderWatch.CLI as self-contained application, the exact same .NET Core version must be installed on remote machine.
Note: if you do not install kernel-mode driver, LoaderWatch will continue to work in a very limited mode (no module injection, private method hooking or features dependent on the aforementioned components).
Note: no explicit or implicit commercial usage is allowed in any way due to point 1.
Note: the Windows 10 LDR internals .NET type model is based on non-free non-public knowledge and is subject to the latest (June 2018) Microsoft Windows 10 EULA. Educational use only.