2 Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing

In Chapter 1, From Source to Binaries – The Journey of a C Program, we learned how C/C++ can be packaged as an executable in the operating system. In this chapter, we will explain the file mapping process, build a compact compiler, attach malware to system services, and infect game programs.

In this chapter, we’re going to cover the following main topics:

The memory of the static contents of PE files
PE Parser example
Dynamic file mapping
PE infection (PE Patcher) example
tinyLinker example
Examples of process hollowing
PE files to HTML

Sample programs

The sample programs mentioned in this chapter are available on GitHub, where you can download the exercises: https://github.com/PacktPublishing/Windows-APT-Warfare/tree/main/chapter%2302 ...

Get Windows APT Warfare now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows APT Warfare by Sheng-Hao Ma, Ziv Chang, Federico Maggi

2

Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing

Sample programs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly