Thread: Bot's core: exe VS dll

so, interesting question (at least for me).

how better to store core of bot? as executable, or as dll?

exe:
+ easier to crypt
+ easier to code
+ easier to spread
- easier to detect and analyze
- more suspicious
- we must hide processes and files (injection or rootkit)

dll:
+ less suspicious
+ easier to hide (we don't need injection)
- we need external dropper (as result, spreading is more difficult)
- harder to crypt (we partially can bypass it by polymorph code obfuscator)
- harder to code. kinda

Well I guess DLL would be better, as the dll infecting and autorunning features are not as famous as the exe ones.

Originally Posted by Pernat1y

- we need external dropper (as result, spreading is more difficult)

you can use bin2c to convert the dll and then add it in the exe and spread the exe, no need for external dropper

Originally Posted by Unregistered

you can use bin2c to convert the dll and then add it in the exe and spread the exe, no need for external dropper

so the exe is an external dropper

You can just use my shellcode generator in the C++ section to make the shellcode for ya (Btw. detection depends on how you code your program, meaning how you call API's and in what order. Some modern AV's detect some program based on what calls you make and the calls before it.)

Anyway, I'd say it's easyer to code something UD in C / C++