Saturday 04 July 2026 17:00:47 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Reflective code loading

In-process execution technique where code is loaded into memory without a normal file-based launch path.

Reflective code loading is an in-process execution technique where code is mapped and started directly from memory instead of being launched through a normal file-based path such as a standard executable or DLL load. The loader usually handles its own relocation, import resolution, and initialization, which lets payloads run without leaving an obvious file on disk.

This matters because many security tools still rely on file events, hash reputation, or conventional module loading to spot malware. Attackers use reflective loading to stage shellcode, DLLs, or .NET components in memory, often as part of loaders, RATs, or post-exploitation frameworks. Defenders look for signs such as unusual memory permissions, module-less execution, suspicious API sequences, process injection, and tampering with logging or telemetry. In practice, reflective loading does not make code invisible; it shifts detection toward behavioral monitoring and memory forensics.

← WIKICROOK index