Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 2 p.m.
(240 minutes).
DLL Loading is one of the most important parts of the Windows system. When you install, run, use, or hack a system, you will always use DLL. This DLL mechanism has been exploited for several years for malware development through several techniques : DLL injection, Reflective DLL but do you really know how Windows is loading a DLL ? The sections used, the internal structures and how the dependencies are resolved. Are you able to design your own Perfect DLL Loader that fully integrate with the WIN32API?
In this workshop, you will dive into the Windows DLL mechanism to understand how all of it works internally. With a decompiler, trial and errors, step by step, you will build your own (almost) Perfect DLL loader.
You will try to load from the simple AMSI.DLL to the most complex WINHTTP.DLL. At each step, you will dive deeper into the Windows Internals.
Malware developers, you will be able to use this code as a PE loader that never failed me for the last years and a DLL loader that does not raise the LoadImage kernel callback you can use on your own C2 beacon.
WARNING: while this is a windows internal DISCOVERY course, it is still a HIGHLY TECHNICAL workshop. You should have some entry-level knowledge on Windows systems, C programing and reverse engineering to fully enjoy the workshop.
Presenters:
-
Yoann "OtterHacker" DEQUEKER
- RedTeam Leader at Wavestonee
Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.
His research leads him to present his results on several conferences such as LeHack (Paris), Insomni'hack, BlackAlps (Swiss) or even through a 4-hour malware workshop at Defcon31 and Defcon32 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.
Similar Presentations: