[Code-Crunchers] TinyPE Yet Again
Gil Dabah
arkon at ragestorm.net
Tue Jan 22 12:09:58 CST 2008
Well, that trick saved lots of space. However, in the beginning I wanted
to get kernel32's base from the modules list and call LoadLibrary, but
the former proved better. WinExec won't run a file named simply 'f' and
even if LoadLibrary does, then I won't be needing the exports, but
rather WebDAV again. Which AFAIK isn't supported on all systems by
default and this is a great concern, since the functionality becomes
limited.
So you used a UNC path, right? I still see this version as a match for
yours, unless I'm mistaken here in my assumptions.
Peter Ferrie wrote:
>> Same old rules:
>> http://www.ragestorm.net/blogs/?p=47 <http://www.ragestorm.net/blogs/?p=47>
>>
>> Peter, I owed you that one ;)
>>
>
> Importing a forwarded export from your own export table. That's a very cool trick.
> I see that you're still using WinExec. No need for that if the downloaded file is a DLL. Just use LoadLibrary() on it instead.
> You can also rename the file from ".exe" to 'f' or something, and save more bytes.
> It doesn't break the rules. ;-) That's how I got to 232. I'm sure that you can do better with your new version.
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
More information about the Code-Crunchers
mailing list