June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.3 Hollow Process Injection Variations
In the following example, we will look at a malware named Skeeyah, which performs hollow process injection in a slightly different way. This is the same sample which was covered in Chapter 8, Code Injection and Hooking (section 3.6 Hollow Process Injection). The following are the steps performed by Skeeyah:
- It starts the svchost.exe process in the suspended mode. As a result, svchost.exe is loaded into the memory (in this case, at address 0x1000000).
- It determines the base address of svchost.exe by reading PEB.ImageBaseAddress and then deallocates the executable section of svchost.exe.
- Instead of allocating memory in the same region where the svchost.exe was previously loaded (0x1000000), it allocates ...