Dive into Windows Library Loading
Event description
Dive into Windows Library Loading
Level of Instruction: Advanced
Instructed by: Yoann "OtterHacker" DEQUEKER
Abstract:
DLL Loading is one of the most important parts of the Windows system. When you install, run, use, or hack a system, you will always use DLL. This DLL mechanism has been exploited for several years for malware development through several techniques : DLL injection, Reflective DLL but do you really know how Windows is loading a DLL ? The sections used, the internal structures and how the dependencies are resolved. Are you able to design your own Perfect DLL Loader that fully integrate with the WIN32API?
In this workshop, you will dive into the Windows DLL mechanism to understand how all of it works internally. With a decompiler, trial and errors, step by step, you will build your own (almost) Perfect DLL loader.
You will try to load from the simple AMSI.DLL to the most complex WINHTTP.DLL. At each step, you will dive deeper into the Windows Internals.
Malware developers, you will be able to use this code as a PE loader that never failed me for the last years and a DLL loader that does not raise the LoadImage kernel callback you can use on your own C2 beacon.
WARNING: while this is a windows internal DISCOVERY course, it is still a HIGHLY TECHNICAL workshop. You should have some entry-level knowledge on Windows systems, C programing and reverse engineering to fully enjoy the workshop.
Tickets for good, not greed Humanitix dedicates 100% of profits from booking fees to charity
