Dailydave mailing list archives
Re: UNC imports in PE files
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 8 Nov 2006 13:57:16 +0000
On Tuesday 07 November 2006 10:59, Solar Eclipse wrote: <snip>
What you probably don't know is that you can use a full UNC path instead of a DLL name in the import section of a PE file. When the file is executed, the loader will try to access the imported DLL using the UNC path and the WebDAV redirector will download the DLL from the Internet.
Whilst using this technique to decrease PE size is quite interesting, I'd be willing to bet most here would already be aware of the redirector functionality when loading DLLs, as it was pointed out by Dave Litchfield over a year ago. www.ngssoftware.com/papers/xpms.pdf -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue - http://reboot-robot.net - "He who hingeth aboot, geteth hee-haw" Victor - Still Game
Attachment:
smime.p7s
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- UNC imports in PE files Solar Eclipse (Nov 07)
- Re: UNC imports in PE files Arun Koshy (Nov 07)
- Re: UNC imports in PE files Barrie Dempster (Nov 08)