{"version":"1.0","provider_name":"RiskInsight","provider_url":"https:\/\/www.riskinsight-wavestone.com\/en\/","title":"LoadLibrary madness: dynamically load WinHTTP.dll - RiskInsight","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"klhqoB2rk6\"><a href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/10\/loadlibrary-madness-dynamically-load-winhttp-dll\/\">LoadLibrary madness: dynamically load WinHTTP.dll<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/10\/loadlibrary-madness-dynamically-load-winhttp-dll\/embed\/#?secret=klhqoB2rk6\" width=\"600\" height=\"338\" title=\"&#8220;LoadLibrary madness: dynamically load WinHTTP.dll&#8221; &#8212; RiskInsight\" data-secret=\"klhqoB2rk6\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script type=\"text\/javascript\">\n\/* <![CDATA[ *\/\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n\/\/# sourceURL=https:\/\/www.riskinsight-wavestone.com\/wp-includes\/js\/wp-embed.min.js\n\/* ]]> *\/\n<\/script>\n","thumbnail_url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/10\/Fond.jpg","thumbnail_width":1688,"thumbnail_height":1125,"description":"For the last few weeks, I was developing a full custom Command and Control (C2). This C2 uses several Windows DLL for network communication and specially the WINHTTP.DLL one to handle HTTP requests used for the HTTP and HTTPS listener.As everyone knows, when developing a C2 and the corresponding agent, OPSEC must be the priority, so the agent code must rise as few (ETW) events as possible.The most common way to increase OPSEC when using external DLL is to perform dynamic loading to avoid getting the loaded DLL name in the source code. This can be done using the LoadLibrary Win32 API."}