Thanks. So even if an attack succeeds in reflexively loading the dll, the restrictions of CLM still apply?
If you manually map a module into the address space of a process, it doesn't change anything other than that module is not linked to the Process Environment Block's Ldr field. The Ldr field is the start of all the module information... There's a doubly linked list which is accessible in these areas and it holds a list of all the modules loaded in-memory of the current process.
In the past you could actually remove from the list during execution to hide a module which was loaded without manual mapping and it'd pretty much replicate the effect of manually mapping a module but Microsoft changed some things and block this technique now.
Any mitigations for that current process will be applied for code executing under it, whether the module the code belongs to is "visible" or not. Manual mapping isn't actually as stealth as some make out though, it can actually raise more alarm if you're using some home-brew aggressive security product by flagging suspicious executable memory regions and stuff.... VAD memory forensics is good for finding it as well.
So reflectively loading a DLL should have zero effect on bypassing mitigation this or that for whatever. It depends on how it is enforced I guess.
For example:
1. If product A patches function X in process A but manual mapping is used and a copy of function X is in the manually mapped module then the product A may not know about the module load and thus cannot re-patch function X to enforce the patch
2. If product A enforces mitigations for process A but it doesn't rely on knowing about the code in product A to patch it -> still enforced regardless
PowerShell mitigations won't be enforced with user-mode patching like that so it should have zero effect
--
Most people manual mapping don't even understand the simple of theory about it let alone know how to do it themselves anyway. Most just copy paste lol. In fact most I see mentioning it don't even understand it, except a few here at least
It's just replicating the Ldr* NTAPI routines. You literally just re-implement what some Ldr* routines do. It's pretty simple and straight forward but people act like it's some godly creation.
To explain it in most simple way:
It's pretty much just copying code from a DLL across to executable buffer and fixing addresses/offsets -> then invoking the DllMain