[Code-Crunchers] TinyPE Yet Again
Gil Dabah
arkon at ragestorm.net
Wed Jan 23 16:05:25 CST 2008
The beauty of export-forwarding is that I don't need LoadLibrary :) I
can simply redirect my export to load the downloaded file.
I still didn't figure out the decryption thingy, will have to give it
more thought then.
Anyways, 227 bytes ATM.
Peter Ferrie wrote:
>> Well, that trick saved lots of space. However, in the beginning I wanted
>> to get kernel32's base from the modules list and call LoadLibrary, but
>> the former proved better. WinExec won't run a file named simply 'f' and
>> even if LoadLibrary does, then I won't be needing the exports, but
>> rather WebDAV again.
>>
>
> Forget about WebDAV - you have to download it first. That's your rule.
> However, you can use LoadLibrary on the downloaded file, and it will execute the DLLMain (if it's a DLL, of course). It's just like WinExec would execute the WinMain, but you don't need the WinExec import anymore.
>
> You could try grabbing LoadLibrary at runtime instead of WinExec. Then your import table will be smaller.
>
> There's a smaller possible decryption method, too. It saves one byte, but I let you guess what it is. ;-)
>
>
>> So you used a UNC path, right? I still see this version as a match for
>> yours, unless I'm mistaken here in my assumptions.
>>
>
> No, I used the original URL that you required. I just changed the filename part.
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
More information about the Code-Crunchers
mailing list