search

Windows PE (DLL / PPL)

The Windows PE (DLL / PPL) agent is a native Windows implant in Control Pack designed to operate as a DLL-based payload instead of a standalone executable.

It provides two operational modes:

  • DLL + PPL bypass implant

  • DLL library implant

Both options focus on executing code from inside an existing process context, rather than launching a separate EXE, helping reduce visibility and improve operational flexibility.

An optional UnHooker binary can also be included to reduce interference from user-mode monitoring.

hashtag
Agent Types

When generating this agent, Control Pack provides two options under Agent type:

hashtag
DLL library implant

This option generates a standard DLL-based implant that can be loaded into a process and executed as a library payload.

This mode is more suitable when:

  • A DLL-based implant is required

  • PPL-specific behavior is not necessary

  • A simpler in-process execution method is sufficient

It still avoids the need to run a visible standalone executable.

hashtag
DLL + PPL bypass implant

This option generates a DLL implant designed to execute in a trusted process context and includes techniques intended to operate in environments where additional protections may be present (such as PPL-related constraints).

This mode is intended for scenarios where:

  • Higher trust execution context is desired

  • Additional protection mechanisms are expected

  • Stealth and stability are more important than simplicity

It is typically used in more advanced scenarios.

hashtag
Optional UnHooker Binary

When enabled, the generated implant includes an additional component designed to remove user-mode API hooks that may be introduced by:

  • Security monitoring tools

  • Endpoint protection software

  • Instrumentation frameworks

This helps:

  • Reduce interference during execution

  • Improve stability

  • Avoid unexpected behavior caused by hooked APIs

The UnHooker is optional and can be enabled only when needed.

hashtag
Execution Model

Both implant types follow the same general model:

  • The payload is delivered as a DLL, not an EXE

  • Execution occurs inside an existing process context

  • No standalone process needs to be created

  • Disk presence and visible artifacts are reduced compared to traditional executables

This makes these implants useful in environments where launching new binaries is undesirable.

hashtag

PreviousJava Universal AgentNextWindows binary C++ Agent

Last updated

Was this helpful?