[Code-Crunchers] TinyPE Yet Again
Peter Ferrie
pferrie at symantec.com
Tue Jan 22 12:23:36 CST 2008
>Well, that trick saved lots of space. However, in the beginning I wanted
>to get kernel32's base from the modules list and call LoadLibrary, but
>the former proved better. WinExec won't run a file named simply 'f' and
>even if LoadLibrary does, then I won't be needing the exports, but
>rather WebDAV again.
Forget about WebDAV - you have to download it first. That's your rule.
However, you can use LoadLibrary on the downloaded file, and it will execute the DLLMain (if it's a DLL, of course). It's just like WinExec would execute the WinMain, but you don't need the WinExec import anymore.
You could try grabbing LoadLibrary at runtime instead of WinExec. Then your import table will be smaller.
There's a smaller possible decryption method, too. It saves one byte, but I let you guess what it is. ;-)
>So you used a UNC path, right? I still see this version as a match for
>yours, unless I'm mistaken here in my assumptions.
No, I used the original URL that you required. I just changed the filename part.
More information about the Code-Crunchers
mailing list