As you probably know loadlibrary by
@taviso can load Windows DLL's - including Windows Defenders mpengine.dll - on Linux.
Since the loader needed some debugging I ended up figuring out how to load the Linux-native mpclient into
#Ghidra's debugger and use it to debug the PE module too:
https://github.com/v-p-b/loadlibrary/blob/x64_waffle/GHIDRA.mdThis can spare an IDA license and performing dark arts with awk and gas...which is actually pretty badass, so if you want to keep doing that without IDA here's a Ghidra script too:
https://gist.github.com/v-p-b/c7d934234297158047b678f655c7d99f