On Windows, using the equivalent of LD_PRELOAD makes all the antiviruses go crazy.

One way around this if you insist is tricking another app into loading you, instead of you forcing your way in, this looks more legit.

But the best way to stay undetected is to behave as a regular innocent program and not use any tricks at all. These days, when computers have hundreds of processes running, nobody is going to notice another one.

For network communications there are ways of delegating this to other apps, so that you don't trigger the firewall. For example you can write something in the Chrome user profile directory which will make Chrome fetch data for you on the next start.

> On Windows, using the equivalent of LD_PRELOAD makes all the antiviruses go crazy.

There is no such thing on modern-day Windows.

There used to be AppInit DLLs, but that 'feature' was broken to a degree that no legitimate application would have used it anyways and it likely wasn't a malware author's first choice either.

Further, by the time you place a backdoor such as this, you would have neutralized any antivirus software. This used to be done by 'patching' them and turning their update process into something that did essentially nothing after any download. No idea what the state of the art is here for either.

This is a backdoor after all, not a vector. As a backdoor you mostly care about humans noticing you messed with their system. You have defeated and subverted the machine and now need to keep the meat ignorant. So you want to avoid having random suspiciously named files lying around or weird extraneous processes showing up. Even the most technologically illiterate users know to watch for weird processes.

> There is no such thing on modern-day Windows.

There are a number of ways. For example shell extensions. Even Chrome, which took great care to not load them missed a few, which I used to get my DLL running inside Chrome without the antivirus complaining. This was some years ago, don't know if they fixed this (and is not really a bug, is by design, sort of).

> you would have neutralized any antivirus software.

That is extremely difficult and fragile. Much better to just not trigger it in the first way by behaving like a "normal" app. The user is also much more likely to notice a non-updating antivirus than some random process.

Does dropping a DLL in the same directory as the executable not work anymore?

If the program is coded properly or compiled with a recent compiler/headers, it will search System32 (or SysWoW64) first before its own directory. In other words, it might or might not depending on how the program-in-question is compiled/coded.

You can hide in plain sight and still be hiding.

It depends on what you consider stealth. This is the equivalent of someone social engineering their way into a building by looking like an employee. Are they using stealth? By the definition of the word, I think so.

> Anyways. This isn't 'stealthy'. Not at all. It's hardly the bare minimum.

It's using techniques to encourage people and systems overlook it when it's noticed. I think that qualifies.