Dailydave mailing list archives

Re: UNC imports in PE files

From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 8 Nov 2006 13:57:16 +0000

On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
<snip>

What you probably don't know is that you can use a full UNC path instead of
a DLL name in the import section of a PE file. When the file is executed,
the loader will try to access the imported DLL using the UNC path and the
WebDAV redirector will download the DLL from the Internet.



Whilst using this technique to decrease PE size is quite interesting, I'd be 
willing to bet most here would already be aware of the redirector 
functionality when loading DLLs, as it was pointed out by Dave Litchfield 
over a year ago.

www.ngssoftware.com/papers/xpms.pdf

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

              - http://reboot-robot.net -

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

Attachment: smime.p7s
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

UNC imports in PE files Solar Eclipse (Nov 07)
- Re: UNC imports in PE files Arun Koshy (Nov 07)
- Re: UNC imports in PE files Barrie Dempster (Nov 08)