In the following example, we will look at a malware named Skeeyah, which performs hollow process injection in a slightly different way. This is the same sample which was covered in Chapter 8, Code Injection and Hooking (section 3.6 Hollow Process Injection). The following are the steps performed by Skeeyah:
- It starts the svchost.exe process in the suspended mode. As a result, svchost.exe is loaded into the memory (in this case, at address 0x1000000).
- It determines the base address of svchost.exe by reading PEB.ImageBaseAddress and then deallocates the executable section of svchost.exe.
- Instead of allocating memory in the same region where the svchost.exe was previously loaded (0x1000000), it allocates ...