In a recent assumed breach assessment I came across an environment that enforced the PowerShell “RemoteSigned” execution policy via Group Policy. “RemoteSigned” execution policy requires that all scripts and configuration files downloaded from the Internet are digitally signed by a trusted publisher.

After completing Sektor7’s Malware Development/Evasion track last year, I’ve decided to start 2023 with the long-awaited Red Team Ops 2 (RTO2) from Zero-Point Security, which is a prerequisite course for obtaining the Certified Red Team Lead (CRTL) certification.

Being already aware of the quality of Zero-Point Security courses after completing the RTO1 and the awesome “C2 Development in C#”, I was looking forward to seeing what rastamouse had to offer on RTO2… 👀

Whenever an imported function is used in our PE executable, the PE loader will have to somehow resolve and store the address of that function in the Import Address Table (IAT), for later reference. Other tables participate in the process, such as the Import Lookup Table (ILT) and the Import Directory Table (IDT).

Let’s dive a bit into PE imports!

To understand how the PE loader finds addresses of functions exported by DLLs, we need to talk about Export Address Table (EAT).

Here I write a few words about EAT in a PE file format.

Sometimes people ask me “how can I get started in offensive security area? (pentesting/red team)”. And I must confess that it has been quite challenging to answer that question. I would love to have a silver bullet for questions like this, but unfortunately I don’t… as we know, offensive security is a broad area, with many ramifications and particularities.

However, when thinking more about it, I could identify some points that can certainly help those who are starting in the area and that, despite being nothing new, are sometimes underestimated or even ignored.

As I’ve always repeated these same points in private messages for this kind of question, why not share them here for anyone who might be interested? 😁