> On Windows, using the equivalent of LD_PRELOAD makes all the antiviruses go crazy.
There is no such thing on modern-day Windows.
There used to be AppInit DLLs, but that 'feature' was broken to a degree that no legitimate application would have used it anyways and it likely wasn't a malware author's first choice either.
Further, by the time you place a backdoor such as this, you would have neutralized any antivirus software. This used to be done by 'patching' them and turning their update process into something that did essentially nothing after any download. No idea what the state of the art is here for either.
This is a backdoor after all, not a vector. As a backdoor you mostly care about humans noticing you messed with their system. You have defeated and subverted the machine and now need to keep the meat ignorant. So you want to avoid having random suspiciously named files lying around or weird extraneous processes showing up. Even the most technologically illiterate users know to watch for weird processes.
There are a number of ways. For example shell extensions. Even Chrome, which took great care to not load them missed a few, which I used to get my DLL running inside Chrome without the antivirus complaining. This was some years ago, don't know if they fixed this (and is not really a bug, is by design, sort of).
> you would have neutralized any antivirus software.
That is extremely difficult and fragile. Much better to just not trigger it in the first way by behaving like a "normal" app. The user is also much more likely to notice a non-updating antivirus than some random process.
If the program is coded properly or compiled with a recent compiler/headers, it will search System32 (or SysWoW64) first before its own directory. In other words, it might or might not depending on how the program-in-question is compiled/coded.
There is no such thing on modern-day Windows.
There used to be AppInit DLLs, but that 'feature' was broken to a degree that no legitimate application would have used it anyways and it likely wasn't a malware author's first choice either.
Further, by the time you place a backdoor such as this, you would have neutralized any antivirus software. This used to be done by 'patching' them and turning their update process into something that did essentially nothing after any download. No idea what the state of the art is here for either.
This is a backdoor after all, not a vector. As a backdoor you mostly care about humans noticing you messed with their system. You have defeated and subverted the machine and now need to keep the meat ignorant. So you want to avoid having random suspiciously named files lying around or weird extraneous processes showing up. Even the most technologically illiterate users know to watch for weird processes.