Reflective DLL loading
Definition
A technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own imports and maps itself. Because no file is written to disk and no entry appears in the standard loaded-module list, it is a common method for staging payloads in memory.
Related terms
- LiME (Linux Memory Extractor)
- A loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either...
- Order of volatility
- The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
- Physical memory image
- A byte-for-byte copy of all installed RAM on a running system, acquired at the hardware or kernel level. Contains all data structures,...
- Process injection
- A technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include...
- Volatility Framework
- An open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data structures...
Explained in
- Memory Acquisition and Analysis in Incident ResponseA technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own imports and maps itself. Because...