[Code-Crunchers] 137 bytes
Peter Ferrie
pferrie at symantec.com
Tue Nov 7 12:56:42 CST 2006
> I didn't follow the rules about importing only KERNEL32.DLL
> and obfuscating all strings, but my PE file downloads and
> executes a payload from the Internet without actually using
> any code. That's gotta be worth some points :-)
:-) That's cool.
Why is the idata size present? AFAIK, no Windows version checks it.
Four bytes shorter, then (stop at the idata rva non-zero byte)?
It's a shame that idata is at 0x80 bytes from the PE header, because
the requirement is not that kernel32.dll is loaded explicitly, but
that it is present in memory. Thus, gdi32.dll, which loads
kernel32.dll, works just as well for the dll name.
More information about the Code-Crunchers
mailing list