{"id":9440,"date":"2024-09-06T22:46:24","date_gmt":"2024-09-06T22:46:24","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9440"},"modified":"2024-09-06T22:51:11","modified_gmt":"2024-09-06T22:51:11","slug":"the-art-of-underdlloading","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/09\/06\/the-art-of-underdlloading\/","title":{"rendered":"The art of underDLLoading"},"content":{"rendered":"\n

In my previous post<\/a> I created a posh artisan .exe file ornamented with a large number of intricate system32 DLL imports. The process of building that file was painful – before I even managed to run the final executable I had to troubleshoot a number issues – many of which I didn’t even expect (missing DLLs, missing manifest, random crashes, etc.).<\/p>\n\n\n\n

In the process of sculpting it I decided to kick off a parallel mini project that would look at the problem from a different angle — instead of a single file, I decided to generate a lot of test executable files, where each of these files would import just ONE single DLL from the system32 directory + the kernel32 as I needed it for its ExitProcess <\/em>API. I then ran all these compiled files one by one. The original idea was to isolate and troubleshoot problematic DLLs, but to my surprise, I got some other interesting results.<\/p>\n\n\n\n

First of all, with the real-time detection on, Windows Defender started picking up on some of these executables one by one:<\/p>\n\n\n\n