<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Dailydave: Re: UNC imports in PE files

Re: UNC imports in PE files

From: Barrie Dempster <barrie_at_reboot-robot.net>
Date: Wed, 8 Nov 2006 13:57:16 +0000

On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
<snip>
> What you probably don't know is that you can use a full UNC path instead of
> a DLL name in the import section of a PE file. When the file is executed,
> the loader will try to access the imported DLL using the UNC path and the
> WebDAV redirector will download the DLL from the Internet.

Whilst using this technique to decrease PE size is quite interesting, I'd be
willing to bet most here would already be aware of the redirector
functionality when loading DLLs, as it was pointed out by Dave Litchfield
over a year ago.

www.ngssoftware.com/papers/xpms.pdf

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
              - http://reboot-robot.net -
"He who hingeth aboot, geteth hee-haw" Victor - Still Game

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

application/pkcs7-signature attachment: smime_p7s

Received on Nov 08 2006

This message: [ Message body ]
Next message: Dave Korn: "The Assimilation of Sysinternals"
Previous message: Arun Koshy: "Re: UNC imports in PE files"
In reply to: Solar Eclipse: "UNC imports in PE files"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]