Win11 - LoadLibraryExA - Load_Library_Require_Signed_Target - Error 127

Trying to load some windows Api’s using LoadLibraryExA with the Load_Library_Require_Signed_Target and I’m getting Error 127 ERROR_PROC_NOT_FOUND The specified procedure could not be found.

If I dont use the Load_Library_Require_Signed_Target flag, everything loads just fine.

Cant see any explanation for this in the online docs

So wondered if anyone else has encountered this?

Machine is connected to the web at the time the program is loaded.

Loads ‘Kernel32.DLL’,‘GetModuleFileNameExA’ without Load_Library_Require_Signed_Target

Wont load ‘Kernel32.DLL’,‘K32GetModuleFileNameExA’ with or without Load_Library_Require_Signed_Target

C11 Libmaker sees ‘K32GetModuleFileNameExA’

TIA

Edit.

Should add, I’m using Load_Library_Require_Signed_Target with Load_Library_Search_System32 eg
Load_Library_Require_Signed_Target + Load_Library_Search_System32

I can’t tell from this is LoadLibraryEx w/ Load_Library_Require_Signed_Target flag actually loads the DLL or not?

If you’re getting an error from GetProcAddress then it implies that either the DLL isn’t loaded or the procedure name is wrong.
Does GetProcAddress work if you just use LoadLibrary?

Yes. Whats odd, is it works without the Load_Library_Require_Signed_Target and I cant see or find any more info on this flag, like how it actually works.

There is a possibility it might only work with GroupPolicy because GPO’s can block apps if the program certificate rule doesnt match whats stored in the GPO, and I’m on win11 Home which has no GPO’s. Other than that I cant find anything slightly related.

This is the code:

ISEQ:LoadLibraryEx:Dont_Resolve_Dll_References            Equate(00000001h) !Static Imports not loaded if EXE
ISEQ:LoadLibraryEx:Load_Ignore_Code_Authz_Level           Equate(00000010h) !bypass applocker or group policy rules, use for setup programs. Must be running as TrustedInstaller or LocalSystem and is security risk!
ISEQ:LoadLibraryEx:Load_Library_As_DataFile               Equate(00000002h)
ISEQ:LoadLibraryEx:Load_Library_As_DataFile_Exclusive     Equate(00000040h)
ISEQ:LoadLibraryEx:Load_Library_As_Image_Resource         Equate(00000020h)
ISEQ:LoadLibraryEx:Load_Library_Search_Application        Equate(00000200h)
ISEQ:LoadLibraryEx:Load_Library_Search_Default_Dirs       Equate(00001000h)
ISEQ:LoadLibraryEx:Load_Library_Search_Dll_Load_Dll       Equate(00000100h)
ISEQ:LoadLibraryEx:Load_Library_Search_System32           Equate(00000800h)
ISEQ:LoadLibraryEx:Load_Library_Search_User_Dirs          Equate(00000400h)
ISEQ:LoadLibraryEx:Load_With_Altered_Search_path          Equate(00000008h) ! if used, absolute path in the filename is used and uses altered search stategy. if relative path, behaviour is "undefined"
ISEQ:LoadLibraryEx:Load_Library_Require_Signed_Target     Equate(00000080h) ! Dlls need to be signed
ISEQ:LoadLibraryEx:Load_Library_Safe_Current_Dirs         Equate(00002000h) ! use dlls in current directory, provided current directory is in the Safe load list, what ever that is!

! No flag used makes LoadLibraryExA work like LoadLibraryA if loading a dll and doesnt call DLLMain

    Module('WinApi')    ! LoadLibrarysEx & FreeLibrarysEx
ISWA_LoadLibraryExA( <CONST *Cstring>, Long = 0, Long ), HModule, Pascal, Raw, Name( 'LoadLibraryExA' )
!ISWA_LoadLibraryExA( Long, Long = 0, Long ), HModule, Pascal, Name( 'LoadLibraryExA' )
ISWA_CallWindowProcA(Long,Ulong,Ulong,Ulong,Long),Long,Pascal,Name('CallWindowProcA')
ISWA_GetProcAddress(Long,Long),Long,Raw,Pascal,Name('GetProcAddress')
ISWA_FreeLibrary(Long),Bool,Raw,Pascal,Name('FreeLibrary')
    End

    Loc:LoadLibrarySearchFlags      =   ISEQ:LoadLibraryEx:Load_Library_Search_System32 !+ |
                                        !ISEQ:LoadLibraryEx:Load_Library_Require_Signed_Target

LoadLibraryEx   Procedure(String pDllFilename, String pProcedureName )

    Code

    LLQ:DLLFilename         = pDllFilename
    LLQ:LoadLibraryHandle   = ISWA_LoadLibraryExA( LLQ:DLLFilename, 0, Loc:LoadLibrarySearchFlags )
    !LLQ:LoadLibraryHandle   = ISWA_LoadLibraryExA( Address(LLQ:DLLFilename), 0, Loc:LoadLibrarySearchFlags )
    IF LLQ:LoadLibraryHandle
        LLQ:ProcedureName       = pProcedureName
        LLQ:ProcedureAddress    = ISWA_GetProcAddress( LLQ:LoadLibraryHandle, Address( LLQ:ProcedureName ) )
        IF LLQ:ProcedureAddress = 0
            LLQ:ProcedureName       = pProcedureName & ' Error : '
            LLQ:ProcedureAddress    = ISWA_GetLastError()
        End
    Else
        LLQ:DLLFilename         = pDllFilename & ' Error : ' 
        LLQ:LoadLibraryHandle   = ISWA_GetLastError()
    End
    Add( GLO:LoadLibraryQ )

Not sure if this is still valid, you’d have to use a tool on the DLL and look at the PE header to see if it has the flags set as this implies.

https://learn.microsoft.com/en-us/answers/questions/1189539/loadlibraryexw-returns-error-invalid-image-hash-on

PS C:\WINDOWS\system32> Get-AuthenticodeSignature -FilePath "C:\WINDOWS\system32\Kernel32.DLL"


    Directory: C:\WINDOWS\system32


SignerCertificate                         Status                                                    Path
-----------------                         ------                                                    ----
AEB9B61E47D91C42FFF213992B7810A3D562FB12  Valid                                                     Kernel32.DLL

I’ll see if I can track a working powershell script or tool to get the PE Header DLLCharacteristics and see if IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (0x0080)` is present or not.

Thanks!