1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Traumatic Library Loading : If you want to use it, you have to implement it...

Traumatic Library Loading : If you want to use it, you have to implement it...

Presented at DEF CON 32 (2024), Aug. 9, 2024, 9 a.m. (240 minutes).

DLL Loading is one of the most important parts of the Windows system. When you install, run, use, or hack a system, you will always use DLL. This DLL mechanism has been exploited for several years for malware development through several techniques : DLL injection, DLL sideloading, Reflective DLL but do you really know how Windows is loading a DLL ? Do you know how it links all sections ? Which structures are used to store internally ? How does it resolve dependencies ? And are you able to design your own Perfect DLL Loader that fully integrate with the WIN32API? In this workshop, you will lose you sanity and dive into the Windows DLL mechanism. Armed with your decompiler and your brain, step by step, you will build your own (almost) Perfect DLL loader. You will try to load from the simple AMSI.DLL to the most complexe WINHTTP.DLL. At each step, you will dive deeper into the Windows DLL Loader and the Windows Internals. Malware developers, you will be able to use this code as a PE loader that never failed me for the last years and a DLL loader that does not raise the LoadImage kernel callback you can use on your own C2 beacon. WARNING: while this is a windows internal DISCOVERY discovery course, it is still a HIGHLY TECHNICAL workshop. You should have some entry-level knowledge on Windows systems, C programing and reverse engineering to fully enjoy the workshop. It is expected from the student to bring a laptop with either a Windows 10 or Windows 10 VM, a C compiler (Mingw or MSVC), a decompiler (IDA Free or Ghidra), the WinDBG debugger and the Sysinternals suite. I will personally use the following toolchain : WIN10, MSVC, IDA, WinDBG Preview.

Presenters:

  • Yoann Dequeker - Red Team Operator at Wavestone
    Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Development to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2. His research leads him to present his results on several conferences such as LeHack (Paris), Insomni'hack (Swiss) or even through a 4-hour malware workshop at Defcon31 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.

Similar Presentations: