O'Reilly logo

Learning Malware Analysis by Monnappa K A

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

2.3 Hollow Process Injection Variations

In the following example, we will look at a malware named Skeeyah, which performs hollow process injection in a slightly different way. This is the same sample which was covered in Chapter 8, Code Injection and Hooking (section 3.6 Hollow Process Injection). The following are the steps performed by Skeeyah:

  • It starts the svchost.exe process in the suspended mode. As a result, svchost.exe is loaded into the memory (in this case, at address 0x1000000).
  • It determines the base address of svchost.exe by reading PEB.ImageBaseAddress and then deallocates the executable section of svchost.exe.
  • Instead of allocating memory in the same region where the svchost.exe was previously loaded (0x1000000), it allocates ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required