{
	"id": "ca12c0bf-89e3-44e5-9193-f81c9c9948eb",
	"created_at": "2026-04-06T00:06:21.510635Z",
	"updated_at": "2026-04-10T03:24:29.081014Z",
	"deleted_at": null,
	"sha1_hash": "ca084f1c244f486599fed3b71701f438fa1b6f6e",
	"title": "LoadLibraryA function (libloaderapi.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69172,
	"plain_text": "LoadLibraryA function (libloaderapi.h) - Win32 apps\r\nBy karl-bridge-microsoft\r\nArchived: 2026-04-02 12:19:01 UTC\r\nLoads the specified module into the address space of the calling process. The specified module may cause other\r\nmodules to be loaded.\r\nFor additional load options, use the LoadLibraryEx function.\r\nSyntax\r\nHMODULE LoadLibraryA(\r\n [in] LPCSTR lpLibFileName\r\n);\r\nParameters\r\n[in] lpLibFileName\r\nThe name of the module. This can be either a library module (a .dll file) or an executable module (an .exe file). If\r\nthe specified module is an executable module, static imports are not loaded; instead, the module is loaded as if by\r\nLoadLibraryEx with the DONT_RESOLVE_DLL_REFERENCES flag.\r\nThe name specified is the file name of the module and is not related to the name stored in the library module itself,\r\nas specified by the LIBRARY keyword in the module-definition (.def) file.\r\nIf the string specifies a full path, the function searches only that path for the module.\r\nIf the string specifies a relative path or a module name without a path, the function uses a standard search strategy\r\nto find the module; for more information, see the Remarks.\r\nIf the function cannot find the module, the function fails. When specifying a path, be sure to use backslashes (\\),\r\nnot forward slashes (/). For more information about paths, see Naming a File or Directory.\r\nIf the string specifies a module name without a path and the file name extension is omitted, the function appends\r\nthe default library extension \".DLL\" to the module name. To prevent the function from appending \".DLL\" to the\r\nmodule name, include a trailing point character (.) in the module name string.\r\nReturn value\r\nIf the function succeeds, the return value is a handle to the module.\r\nIf the function fails, the return value is NULL. To get extended error information, call GetLastError.\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya\r\nPage 1 of 4\n\nTo enable or disable error messages displayed by the loader during DLL loads, use the SetErrorMode function.\r\nLoadLibrary can be used to load a library module into the address space of the process and return a handle that\r\ncan be used in GetProcAddress to get the address of a DLL function. LoadLibrary can also be used to load other\r\nexecutable modules. For example, the function can specify an .exe file to get a handle that can be used in\r\nFindResource or LoadResource. However, do not use LoadLibrary to run an .exe file. Instead, use the\r\nCreateProcess function.\r\nIf the specified module is a DLL that is not already loaded for the calling process, the system calls the DLL's\r\nDllMain function with the DLL_PROCESS_ATTACH value. If DllMain returns TRUE, LoadLibrary returns a\r\nhandle to the module. If DllMain returns FALSE, the system unloads the DLL from the process address space and\r\nLoadLibrary returns NULL. It is not safe to call LoadLibrary from DllMain. For more information, see the\r\nRemarks section in DllMain.\r\nModule handles are not global or inheritable. A call to LoadLibrary by one process does not produce a handle\r\nthat another process can use — for example, in calling GetProcAddress. The other process must make its own call\r\nto LoadLibrary for the module before calling GetProcAddress.\r\nIf lpFileName does not include a path and there is more than one loaded module with the same base name and\r\nextension, the function returns a handle to the module that was loaded first.\r\nIf no file name extension is specified in the lpFileName parameter, the default library extension .dll is appended.\r\nHowever, the file name string can include a trailing point character (.) to indicate that the module name has no\r\nextension. When no path is specified, the function searches for loaded modules whose base name matches the base\r\nname of the module to be loaded. If the name matches, the load succeeds. Otherwise, the function searches for the\r\nfile.\r\nThe first directory searched is the directory containing the image file used to create the calling process (for more\r\ninformation, see the CreateProcess function). Doing this allows private dynamic-link library (DLL) files\r\nassociated with a process to be found without adding the process's installed directory to the PATH environment\r\nvariable. If a relative path is specified, the entire relative path is appended to every token in the DLL search path\r\nlist. To load a module from a relative path without searching any other path, use GetFullPathName to get a\r\nnonrelative path and call LoadLibrary with the nonrelative path. For more information on the DLL search order,\r\nsee Dynamic-Link Library Search Order.\r\nThe search path can be altered using the SetDllDirectory function. This solution is recommended instead of using\r\nSetCurrentDirectory or hard-coding the full path to the DLL.\r\nIf a path is specified and there is a redirection file for the application, the function searches for the module in the\r\napplication's directory. If the module exists in the application's directory, LoadLibrary ignores the specified path\r\nand loads the module from the application's directory. If the module does not exist in the application's directory,\r\nLoadLibrary loads the module from the specified directory. For more information, see Dynamic Link Library\r\nRedirection.\r\nIf you call LoadLibrary with the name of an assembly without a path specification and the assembly is listed in\r\nthe system compatible manifest, the call is automatically redirected to the side-by-side assembly.\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya\r\nPage 2 of 4\n\nThe system maintains a per-process reference count on all loaded modules. Calling LoadLibrary increments the\r\nreference count. Calling the FreeLibrary or FreeLibraryAndExitThread function decrements the reference count.\r\nThe system unloads a module when its reference count reaches zero or when the process terminates (regardless of\r\nthe reference count).\r\nWindows Server 2003 and Windows XP:  The Visual C++ compiler supports a syntax that enables you to\r\ndeclare thread-local variables: _declspec(thread). If you use this syntax in a DLL, you will not be able to load the\r\nDLL explicitly using LoadLibrary on versions of Windows prior to Windows Vista. If your DLL will be loaded\r\nexplicitly, you must use the thread local storage functions instead of _declspec(thread). For an example, see\r\nUsing Thread Local Storage in a Dynamic Link Library.\r\nDo not use the SearchPath function to retrieve a path to a DLL for a subsequent LoadLibrary call. The\r\nSearchPath function uses a different search order than LoadLibrary and it does not use safe process search mode\r\nunless this is explicitly enabled by calling SetSearchPathMode with\r\nBASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE. Therefore, SearchPath is likely to first search\r\nthe user’s current working directory for the specified DLL. If an attacker has copied a malicious version of a DLL\r\ninto the current working directory, the path retrieved by SearchPath will point to the malicious DLL, which\r\nLoadLibrary will then load.\r\nDo not make assumptions about the operating system version based on a LoadLibrary call that searches for a\r\nDLL. If the application is running in an environment where the DLL is legitimately not present but a malicious\r\nversion of the DLL is in the search path, the malicious version of the DLL may be loaded. Instead, use the\r\nrecommended techniques described in Getting the System Version.\r\nExamples\r\nFor an example, see Using Run-Time Dynamic Linking.\r\nNote\r\nThe libloaderapi.h header defines LoadLibrary as an alias that automatically selects the ANSI or Unicode version\r\nof this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that is not encoding-neutral can lead to mismatches that result in compilation or runtime\r\nerrors. For more information, see Conventions for Function Prototypes.\r\nRequirements\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nTarget Platform Windows\r\nHeader libloaderapi.h (include Windows.h)\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya\r\nPage 3 of 4\n\nRequirement Value\r\nLibrary Kernel32.lib\r\nDLL Kernel32.dll\r\nSee also\r\nDllMain\r\nDynamic-Link Library Functions\r\nFindResource\r\nFreeLibrary\r\nGetProcAddress\r\nGetSystemDirectory\r\nGetWindowsDirectory\r\nLoadLibraryEx\r\nLoadResource\r\nRun-Time Dynamic Linking\r\nSetDllDirectory\r\nSetErrorMode\r\nSource: https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya"
	],
	"report_names": [
		"nf-libloaderapi-loadlibrarya"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433981,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca084f1c244f486599fed3b71701f438fa1b6f6e.pdf",
		"text": "https://archive.orkl.eu/ca084f1c244f486599fed3b71701f438fa1b6f6e.txt",
		"img": "https://archive.orkl.eu/ca084f1c244f486599fed3b71701f438fa1b6f6e.jpg"
	}
}