[Dailydave] UNC imports in PE files
Barrie Dempster
barrie at reboot-robot.net
Wed Nov 8 13:57:16 Local tim 2006
On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
<snip>
> What you probably don't know is that you can use a full UNC path instead of
> a DLL name in the import section of a PE file. When the file is executed,
> the loader will try to access the imported DLL using the UNC path and the
> WebDAV redirector will download the DLL from the Internet.
Whilst using this technique to decrease PE size is quite interesting, I'd be
willing to bet most here would already be aware of the redirector
functionality when loading DLLs, as it was pointed out by Dave Litchfield
over a year ago.
www.ngssoftware.com/papers/xpms.pdf
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
- http://reboot-robot.net -
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1902 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20061108/5ce7d4a5/attachment.bin
More information about the Dailydave
mailing list